Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

parsing logs from logstash

gcusello
SplunkTrust
SplunkTrust
‎10-11-2023 07:25 AM

at all,

I have to parse logs extracted from logstash.

I'm receiving logstash logs and they are in json format and almost all the fields I need are already parsed and available in json.

My issue is that the event rawdata is in a field called "message" and these fields aren't automatically extracted as I would.

I'd like to avoid to re-parse all datasources and create custom add-ons from all data sources.

Does anybody encounter this kind of integration and know a way to use standard Add-Ons to parse only the message field?

Thank you for your help.

Ciao.

Giuseppe

Labels (2)
Labels
Tags (3)
Reply

_JP
Contributor
‎10-11-2023 10:04 AM

Just some thoughts from a philosophical perspective...

Splunk loves to parse/extract/search data, and the overall architecture to me lets us treat comput and storage as a total commodity in the pursuit of "searching and making sense of our data."  So let Splunk do it's thing...if you have to do some extra parsing, do some extra parsing to get the problem solved.  Then optimize. That's sort of my same coding philosophy that I just pull forward into what I do in Splunk:  get it working, then get it working well.

So if you get it working...and it isn't the slowest thing in your environment, then let all of your distributed compute do its thing until the "cost" of your time to optimize outweighs the "cost" of the extra processing time spent running your query/extracts.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-12-2023 12:09 AM

Hi @_JP,

I am conceptually agree with you, but the customer already has logs on logstash and wants to use Enterprise Security, that uses CIM.

For this reason I have to ingest and parse logstash data, trying to persuade customer to pass to Universal Forwarders.

I asked to the Community if someone has already addressed this problem, to have some hint or attention point.

Anyway, working by myself, I already reconducted some data flows to standard add-ons.

Thank you for your answer.

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...