nxlog output (json in *.log) and Splunk

mazurmateusz · ‎06-03-2015

Hello,

Sysadmins set nxlog syslog to put event logs from windows to external directory.
The log format is 'json' with extension *.log
My question is how to properly import those data to splunk and index it.
Right now SPLUNK don't recognize all fields (like a EventType, EventID, Hostname etc.)

thanks in advance

Mateusz

mazurmateusz · ‎06-08-2015

Hello,

I made something like that:

Add to props.conf:

[Test_json]
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = 1
pulldown_type = 1

and restart SPLUNK

After restart try to upload file *.log
1. go to settings upload
2. pickup file
3. upload
4. choose Test_json as a source type
And then i got preview error which information 'change source type'.

Do you have any suggestion what i made wrong?

Regards,
M.

woodcock · ‎06-08-2015

Before you use it, you need to define the sourcetype of Test_json by adding it to an inputs.conf file (or at the set sourcetype stage after Add Data when you use the GUI to do a New under Data Inputs -> Files & Directories, if you went that route).

woodcock · ‎06-03-2015

It should be straightforward, just tell splunk to get the *.log files with inputs.conf and then tell it about json like it says here:

http://answers.splunk.com/answers/148307/how-to-parse-and-extract-json-log-files-in-splunk.html

nxlog output (json in *.log) and Splunk

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Maximizing the Value of Splunk ES 8.x

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Are you a member of the Splunk Community?

nxlog output (json in *.log) and Splunk

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Maximizing the Value of Splunk ES 8.x

Operationalizing TDIR: Building a More Resilient, Scalable SOC