My application logs json object . Sample logs look like this:
{"ts":"05 25 2023 14:57:05.114","msg":"Listeners is invoked"
}
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=nonheap,id=Metaspace} value=117.305855 MiB"
}
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=nonheap,id=CodeHeap 'profiled nmethods'} value=41.941772 MiB"
}
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=nonheap,id=CodeHeap 'non-profiled nmethods'} value=18.53479 MiB"
}
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=heap,id=G1 Old Gen} value=82.355469 MiB"
}
if you notice above , my application prints } in next line along with extra tabs \t
In splunk, these logs are not represented as json , All these above text are shown in one line . I learn about LINE_BREAKER and tried following line break regex but nothing worked
1)
SHOULD_LINEMERGE=false
LINE_BREAKER=([\t]+{)
2)
SHOULD_LINEMERGE=false
LINE_BREAKER=([\n\t]+{)
3)
SHOULD_LINEMERGE=false
BREAK_ONLY_BEFORE=\{"ts":
SEDCMD-add_closing_bracket=s/\"$/"}/g
#3 works , splunk shows extra ending bracket with tabs
}
I want splunk should consider every json object irrespective of tab and ending bracket } in next line . Please help
Try this variation of option 3.
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=\{"ts":
SEDCMD-removeTabs=s/\t//g
Try this variation of option 3.
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=\{"ts":
SEDCMD-removeTabs=s/\t//g