Sysadmins set nxlog syslog to put event logs from windows to external directory.
The log format is 'json' with extension *.log
My question is how to properly import those data to splunk and index it.
Right now SPLUNK don't recognize all fields (like a EventType, EventID, Hostname etc.)
thanks in advance
I made something like that:
Add to props.conf:
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = 1
pulldown_type = 1
and restart SPLUNK
After restart try to upload file *.log
1. go to settings upload
2. pickup file
4. choose Test_json as a source type
And then i got preview error which information 'change source type'.
Do you have any suggestion what i made wrong?
Before you use it, you need to define the
Test_json by adding it to an
inputs.conf file (or at the
set sourcetype stage after
Add Data when you use the GUI to do a
Data Inputs ->
Files & Directories, if you went that route).
It should be straightforward, just tell splunk to get the
*.log files with
inputs.conf and then tell it about
json like it says here: