Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Do I need to modify props to capture 2 format of logs?

mahesh27
Communicator
‎05-23-2023 03:33 PM

Sample data:
i have 2 types of data and below props given, i am seeing internal logs like

ERROR JsonLineBreaker - JSON StramID:13457545565443322455 had parsing error: Unexpected character: 'a' - data_source........

Do i need to modify props to capture 2 format of logs??

props:
[sourcetype]
INDEXED_EXTRACTIONS=json
KV_MODE=none
SHOULD_LINEMERGE=true
TIMESTAMP_FIELDS=timestamp
LINE_BREAKER=([\r\n]+)

 

{[-]
UserID: Null
host: apl-45678
level: medium
message: cliendid: null, secondaryClientid: null, userid: unknown, respinsetime:1.34455
timestamp: 2022-01-22T21:23:44.897Z
}

 

 

 

{"timestamp": "2022-01-22T21:23:44.897Z", "level":"applevel", "host":"apl-12345", "userid": "NA", "message": apl-12345-20144 - unknown - GET - / - REQ-NAMES - {"accept": "text/plain, application/json:*************************************************************************, "host:""apl-12345", "connection":"unknown"}"}

 

 

 

{[-]
UserID: Null
host: apl-45678
level: medium
message: cliendid: null, secondaryClientid: null, userid: unknown, respinsetime:1.34455
timestamp: 2022-01-22T21:23:44.897Z
}

 

 

 

{"timestamp": "2022-01-22T21:23:44.897Z", "level":"applevel", "host":"apl-12345", "userid": "NA",
 "message": apl-12345-20144 - unknown - GET - / - REQ-NAMES - {"accept": "text/plain, application/json:*************************************************************************, "host:""apl-12345", "connection":"unknown"}"}

 


 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-23-2023 05:08 PM

You say you have two types of data, but the example look very similar to me.  In general, yes, two types of data call for 2 set of props, but I believe that is not the case here.

In this case, I believe the problem is the data is not well-formed JSON so Splunk cannot parse it.  Paste the events into jsonlint.com to see what I mean.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mahesh27
Communicator
‎05-23-2023 05:56 PM

hi @richgalloway, actually i have only json logs before, but now logs with timestamp added.
so i need props to fetch this other logs as well to avoid json parsing issues.

0 Karma
Reply

yeahnah
Motivator
‎05-23-2023 06:13 PM

If the pasted JSON is correct then this is badly formatted JSON

"host:""apl-12345"

 

0 Karma
Reply

mahesh27
Communicator
‎05-23-2023 06:24 PM

ok will try to change it, but can you please confirm the props i am using is correct??

0 Karma
Reply

yeahnah
Motivator
‎05-23-2023 06:52 PM

If it is valid JSON and you want to use INDEXED_EXTRACTIONS then this is all that is needed.

[sourcetype]
INDEXED_EXTRACTIONS=json

Note the implications of using this setting though.

https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Propsconf#Structured_Data_Header_Extraction...

 

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...