- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do I need to modify props to capture 2 format of logs?
Sample data:
i have 2 types of data and below props given, i am seeing internal logs like
ERROR JsonLineBreaker - JSON StramID:13457545565443322455 had parsing error: Unexpected character: 'a' - data_source........
Do i need to modify props to capture 2 format of logs??
props:
[sourcetype]
INDEXED_EXTRACTIONS=json
KV_MODE=none
SHOULD_LINEMERGE=true
TIMESTAMP_FIELDS=timestamp
LINE_BREAKER=([\r\n]+)
{[-]
UserID: Null
host: apl-45678
level: medium
message: cliendid: null, secondaryClientid: null, userid: unknown, respinsetime:1.34455
timestamp: 2022-01-22T21:23:44.897Z
}
{"timestamp": "2022-01-22T21:23:44.897Z", "level":"applevel", "host":"apl-12345", "userid": "NA", "message": apl-12345-20144 - unknown - GET - / - REQ-NAMES - {"accept": "text/plain, application/json:*************************************************************************, "host:""apl-12345", "connection":"unknown"}"}
{[-]
UserID: Null
host: apl-45678
level: medium
message: cliendid: null, secondaryClientid: null, userid: unknown, respinsetime:1.34455
timestamp: 2022-01-22T21:23:44.897Z
}
{"timestamp": "2022-01-22T21:23:44.897Z", "level":"applevel", "host":"apl-12345", "userid": "NA",
"message": apl-12345-20144 - unknown - GET - / - REQ-NAMES - {"accept": "text/plain, application/json:*************************************************************************, "host:""apl-12345", "connection":"unknown"}"}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You say you have two types of data, but the example look very similar to me. In general, yes, two types of data call for 2 set of props, but I believe that is not the case here.
In this case, I believe the problem is the data is not well-formed JSON so Splunk cannot parse it. Paste the events into jsonlint.com to see what I mean.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @richgalloway, actually i have only json logs before, but now logs with timestamp added.
so i need props to fetch this other logs as well to avoid json parsing issues.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the pasted JSON is correct then this is badly formatted JSON
"host:""apl-12345"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok will try to change it, but can you please confirm the props i am using is correct??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it is valid JSON and you want to use INDEXED_EXTRACTIONS then this is all that is needed.
[sourcetype]
INDEXED_EXTRACTIONS=jsonNote the implications of using this setting though.
