Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to send part of my log body to splunk using OTEL collector.

vempatisuresh
Observer
‎05-20-2025 10:58 AM

HI,

I have my json message with 4-5 json key value pairs.

 

I want to remove some of the fields and want to modify body before send it to splunk server. In OTEL Server i tried using file log receiver to modify body and transform log statements to set body.

my json contians 

Body: Str({"instant":{"epochSecond":1747736470,"nanoOfSecond":616797000},"thread":"ListProc-Q0:I0","level":"DEBUG", "message":"{actual log message}})

My requirement is, i want to remove instant, thread, level fields and want to send "json value of message field, which comes dynamically"

Updated body is getting printed in debug log, but still splunk server is showing original body as is.

transform:\n log_statements:\n - context: log\n statements:\n
\ - 'set(body, ParseJSON(body)[\"message\"])'\n - 'set(body,
\"extracted\")'\n


But my splunk server is showing it as is original body. 

 

Can some one please help me with this issue.

Spoiler
 
Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎05-20-2025 01:18 PM

Hi @vempatisuresh 

  • Applying two set(body, ...) statements sequentially results in only the last one ("extracted") being set as the body. This eliminates your intended transformation.

Try the following:

processors:
  transform/logs:
    log_statements:
      - context: log
        statements:
          - set(body, ParseJSON(body)["message"])


Pipeline inclusion:

service:
  pipelines:
    logs:
      processors: [transform/logs, ...]

For more info check out the docs at https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/processor/transformproce...

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

vempatisuresh
Observer
‎05-20-2025 11:15 PM

Hi @livehybrid ,

I tried below by removing 2nd line, but nothing is being transmitted to splunk.

As i mentioned , in the otel collector log, the body is getting printed correctly, somehow nothing is being sent to splunk server.

I see nothing in splunk with below change.

processors:
  transform/logs:
    log_statements:
      - context: log
        statements:
          - set(body, ParseJSON(body)["message"])

 

0 Karma
Reply

vempatisuresh
Observer
‎05-20-2025 11:00 AM

I want to get splunk log as actual log message in splunk server.

I am getting all fields instant, thread, level, message attributes in splunk, But i don't want to get it like that.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...