Solved: Suggestions for filtering nodejs logs

pkeller · ‎04-16-2020

22:13:06.901Z INFO my-portal: blah : blah - success
tracker: {
"trackId": "foo",
"hashedAccountId": "bar",
"ip": "127.0.0.1",
"queryUrl": "http://my.domain.com/aluminum/batPreferences/txm",
"queryMethod": "GET",
"elapsed": 91.561
}

The nodejs output looks kinda like what's shown above. Any suggestions for parsing this so that I can view the syntax highlighted json would be appreciated. I've tried a transforms to reassign the INFO line to a separate sourcetype, but that doesn't change the fact that I only see the raw text in my search.

[nodejs:all]
KV_MODE = json
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TRUNCATE = 0
LINE_BREAKER = ([\r\n]+)(\d{2}:\d{2}:\d{2})
TRANSFORMS-strip_INFO = strip_INFO

transforms.conf
[strip_INFO]
REGEX = ^\d{2}:\d{2}:\d{2}.\d{3}Z
FORMAT = sourcetype::nodejs_out
DEST_KEY = MetaData:Sourcetype

Clearly this doesn't work, but I'm a bit stumped.

Thank you.

to4kawa · ‎04-17-2020

LINE_BREAKER = (){|}()

and remove extra events

View solution in original post

to4kawa · ‎04-17-2020

LINE_BREAKER = (){|}()

and remove extra events

Suggestions for filtering nodejs logs

configuration

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform