Splunk Enterprise

Suggestions for filtering nodejs logs

Contributor

22:13:06.901Z INFO my-portal: blah : blah - success
tracker: {
"trackId": "foo",
"hashedAccountId": "bar",
"ip": "127.0.0.1",
"queryUrl": "http://my.domain.com/aluminum/batPreferences/txm",
"queryMethod": "GET",
"elapsed": 91.561
}

The nodejs output looks kinda like what's shown above. Any suggestions for parsing this so that I can view the syntax highlighted json would be appreciated. I've tried a transforms to reassign the INFO line to a separate sourcetype, but that doesn't change the fact that I only see the raw text in my search.

[nodejs:all]
KVMODE = json
NO
BINARYCHECK = 1
SHOULD
LINEMERGE = false
TRUNCATE = 0
LINEBREAKER = ([\r\n]+)(\d{2}:\d{2}:\d{2})
TRANSFORMS-strip
INFO = strip_INFO

transforms.conf
[stripINFO]
REGEX = ^\d{2}:\d{2}:\d{2}.\d{3}Z
FORMAT = sourcetype::nodejs
out
DEST_KEY = MetaData:Sourcetype

Clearly this doesn't work, but I'm a bit stumped.

Thank you.

Labels (1)
0 Karma
1 Solution

Ultra Champion
LINE_BREAKER = (){|}()

and remove extra events

View solution in original post

0 Karma

Ultra Champion
LINE_BREAKER = (){|}()

and remove extra events

View solution in original post

0 Karma