- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- Do I need to modify props to capture 2 format of l...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do I need to modify props to capture 2 format of logs?
Sample data:
i have 2 types of data and below props given, i am seeing internal logs like
ERROR JsonLineBreaker - JSON StramID:13457545565443322455 had parsing error: Unexpected character: 'a' - data_source........
Do i need to modify props to capture 2 format of logs??
props:
[sourcetype]
INDEXED_EXTRACTIONS=json
KV_MODE=none
SHOULD_LINEMERGE=true
TIMESTAMP_FIELDS=timestamp
LINE_BREAKER=([\r\n]+)
{[-]
UserID: Null
host: apl-45678
level: medium
message: cliendid: null, secondaryClientid: null, userid: unknown, respinsetime:1.34455
timestamp: 2022-01-22T21:23:44.897Z
}
{"timestamp": "2022-01-22T21:23:44.897Z", "level":"applevel", "host":"apl-12345", "userid": "NA", "message": apl-12345-20144 - unknown - GET - / - REQ-NAMES - {"accept": "text/plain, application/json:*************************************************************************, "host:""apl-12345", "connection":"unknown"}"}
{[-]
UserID: Null
host: apl-45678
level: medium
message: cliendid: null, secondaryClientid: null, userid: unknown, respinsetime:1.34455
timestamp: 2022-01-22T21:23:44.897Z
}
{"timestamp": "2022-01-22T21:23:44.897Z", "level":"applevel", "host":"apl-12345", "userid": "NA",
"message": apl-12345-20144 - unknown - GET - / - REQ-NAMES - {"accept": "text/plain, application/json:*************************************************************************, "host:""apl-12345", "connection":"unknown"}"}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You say you have two types of data, but the example look very similar to me. In general, yes, two types of data call for 2 set of props, but I believe that is not the case here.
In this case, I believe the problem is the data is not well-formed JSON so Splunk cannot parse it. Paste the events into jsonlint.com to see what I mean.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @richgalloway, actually i have only json logs before, but now logs with timestamp added.
so i need props to fetch this other logs as well to avoid json parsing issues.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the pasted JSON is correct then this is badly formatted JSON
"host:""apl-12345"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok will try to change it, but can you please confirm the props i am using is correct??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it is valid JSON and you want to use INDEXED_EXTRACTIONS then this is all that is needed.
[sourcetype]
INDEXED_EXTRACTIONS=jsonNote the implications of using this setting though.
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
