Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Do I need to modify props to capture 2 format of logs?

mahesh27
Communicator
‎05-23-2023 03:33 PM

Sample data:
i have 2 types of data and below props given, i am seeing internal logs like

ERROR JsonLineBreaker - JSON StramID:13457545565443322455 had parsing error: Unexpected character: 'a' - data_source........

Do i need to modify props to capture 2 format of logs??

props:
[sourcetype]
INDEXED_EXTRACTIONS=json
KV_MODE=none
SHOULD_LINEMERGE=true
TIMESTAMP_FIELDS=timestamp
LINE_BREAKER=([\r\n]+)

 

{[-]
UserID: Null
host: apl-45678
level: medium
message: cliendid: null, secondaryClientid: null, userid: unknown, respinsetime:1.34455
timestamp: 2022-01-22T21:23:44.897Z
}

 

 

 

{"timestamp": "2022-01-22T21:23:44.897Z", "level":"applevel", "host":"apl-12345", "userid": "NA", "message": apl-12345-20144 - unknown - GET - / - REQ-NAMES - {"accept": "text/plain, application/json:*************************************************************************, "host:""apl-12345", "connection":"unknown"}"}

 

 

 

{[-]
UserID: Null
host: apl-45678
level: medium
message: cliendid: null, secondaryClientid: null, userid: unknown, respinsetime:1.34455
timestamp: 2022-01-22T21:23:44.897Z
}

 

 

 

{"timestamp": "2022-01-22T21:23:44.897Z", "level":"applevel", "host":"apl-12345", "userid": "NA",
 "message": apl-12345-20144 - unknown - GET - / - REQ-NAMES - {"accept": "text/plain, application/json:*************************************************************************, "host:""apl-12345", "connection":"unknown"}"}

 


 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-23-2023 05:08 PM

You say you have two types of data, but the example look very similar to me.  In general, yes, two types of data call for 2 set of props, but I believe that is not the case here.

In this case, I believe the problem is the data is not well-formed JSON so Splunk cannot parse it.  Paste the events into jsonlint.com to see what I mean.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mahesh27
Communicator
‎05-23-2023 05:56 PM

hi @richgalloway, actually i have only json logs before, but now logs with timestamp added.
so i need props to fetch this other logs as well to avoid json parsing issues.

0 Karma
Reply

yeahnah
Motivator
‎05-23-2023 06:13 PM

If the pasted JSON is correct then this is badly formatted JSON

"host:""apl-12345"

 

0 Karma
Reply

mahesh27
Communicator
‎05-23-2023 06:24 PM

ok will try to change it, but can you please confirm the props i am using is correct??

0 Karma
Reply

yeahnah
Motivator
‎05-23-2023 06:52 PM

If it is valid JSON and you want to use INDEXED_EXTRACTIONS then this is all that is needed.

[sourcetype]
INDEXED_EXTRACTIONS=json

Note the implications of using this setting though.

https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Propsconf#Structured_Data_Header_Extraction...

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top