Hello,
Sysadmins set nxlog syslog to put event logs from windows to external directory.
The log format is 'json' with extension *.log
My question is how to properly import those data to splunk and index it.
Right now SPLUNK don't recognize all fields (like a EventType, EventID, Hostname etc.)
thanks in advance
Mateusz
Hello,
I made something like that:
Add to props.conf:
[Test_json]
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = 1
pulldown_type = 1
and restart SPLUNK
After restart try to upload file *.log
1. go to settings upload
2. pickup file
3. upload
4. choose Test_json as a source type
And then i got preview error which information 'change source type'.
Do you have any suggestion what i made wrong?
Regards,
M.
Before you use it, you need to define the sourcetype
of Test_json
by adding it to an inputs.conf
file (or at the set sourcetype
stage after Add Data
when you use the GUI to do a New
under Data Inputs
-> Files & Directories
, if you went that route).
It should be straightforward, just tell splunk to get the *.log
files with inputs.conf
and then tell it about json
like it says here:
http://answers.splunk.com/answers/148307/how-to-parse-and-extract-json-log-files-in-splunk.html