Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with logs line breaking issue?

ajitdev381
Engager
‎05-25-2023 07:42 AM

My application logs json object . Sample logs look like this:

 

 

{"ts":"05 25 2023 14:57:05.114","msg":"Listeners is invoked"
								 }
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=nonheap,id=Metaspace} value=117.305855 MiB"
								 }
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=nonheap,id=CodeHeap 'profiled nmethods'} value=41.941772 MiB"
								 }
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=nonheap,id=CodeHeap 'non-profiled nmethods'} value=18.53479 MiB"
								 }
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=heap,id=G1 Old Gen} value=82.355469 MiB"
								 }

 

 

 

if you notice above , my application prints } in next line along with extra tabs \t

In splunk, these logs are not represented as json , All these above text are shown in one line . I learn about LINE_BREAKER and tried following line break regex but nothing worked

1) 
SHOULD_LINEMERGE=false
LINE_BREAKER=([\t]+{)

2) 
SHOULD_LINEMERGE=false
LINE_BREAKER=([\n\t]+{)

3) 
SHOULD_LINEMERGE=false
BREAK_ONLY_BEFORE=\{"ts":
SEDCMD-add_closing_bracket=s/\"$/"}/g

#3 works , splunk shows extra ending bracket with tabs

 

 

								 }

 

 

 I want splunk should consider every json object irrespective of tab and ending bracket } in next line . Please help

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-25-2023 09:41 AM

Try this variation of option 3.

SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=\{"ts":
SEDCMD-removeTabs=s/\t//g
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-25-2023 09:41 AM

Try this variation of option 3.

SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=\{"ts":
SEDCMD-removeTabs=s/\t//g
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...