Solved: Suggestions for filtering nodejs logs

pkeller · ‎04-16-2020

22:13:06.901Z INFO my-portal: blah : blah - success
tracker: {
"trackId": "foo",
"hashedAccountId": "bar",
"ip": "127.0.0.1",
"queryUrl": "http://my.domain.com/aluminum/batPreferences/txm",
"queryMethod": "GET",
"elapsed": 91.561
}

The nodejs output looks kinda like what's shown above. Any suggestions for parsing this so that I can view the syntax highlighted json would be appreciated. I've tried a transforms to reassign the INFO line to a separate sourcetype, but that doesn't change the fact that I only see the raw text in my search.

[nodejs:all]
KV_MODE = json
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TRUNCATE = 0
LINE_BREAKER = ([\r\n]+)(\d{2}:\d{2}:\d{2})
TRANSFORMS-strip_INFO = strip_INFO

transforms.conf
[strip_INFO]
REGEX = ^\d{2}:\d{2}:\d{2}.\d{3}Z
FORMAT = sourcetype::nodejs_out
DEST_KEY = MetaData:Sourcetype

Clearly this doesn't work, but I'm a bit stumped.

Thank you.

to4kawa · ‎04-17-2020

LINE_BREAKER = (){|}()

and remove extra events

View solution in original post

to4kawa · ‎04-17-2020

LINE_BREAKER = (){|}()

and remove extra events

Suggestions for filtering nodejs logs

configuration

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation