Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with logs line breaking issue?

ajitdev381
Engager
‎05-25-2023 07:42 AM

My application logs json object . Sample logs look like this:

 

 

{"ts":"05 25 2023 14:57:05.114","msg":"Listeners is invoked"
								 }
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=nonheap,id=Metaspace} value=117.305855 MiB"
								 }
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=nonheap,id=CodeHeap 'profiled nmethods'} value=41.941772 MiB"
								 }
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=nonheap,id=CodeHeap 'non-profiled nmethods'} value=18.53479 MiB"
								 }
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=heap,id=G1 Old Gen} value=82.355469 MiB"
								 }

 

 

 

if you notice above , my application prints } in next line along with extra tabs \t

In splunk, these logs are not represented as json , All these above text are shown in one line . I learn about LINE_BREAKER and tried following line break regex but nothing worked

1) 
SHOULD_LINEMERGE=false
LINE_BREAKER=([\t]+{)

2) 
SHOULD_LINEMERGE=false
LINE_BREAKER=([\n\t]+{)

3) 
SHOULD_LINEMERGE=false
BREAK_ONLY_BEFORE=\{"ts":
SEDCMD-add_closing_bracket=s/\"$/"}/g

#3 works , splunk shows extra ending bracket with tabs

 

 

								 }

 

 

 I want splunk should consider every json object irrespective of tab and ending bracket } in next line . Please help

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-25-2023 09:41 AM

Try this variation of option 3.

SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=\{"ts":
SEDCMD-removeTabs=s/\t//g
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-25-2023 09:41 AM

Try this variation of option 3.

SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=\{"ts":
SEDCMD-removeTabs=s/\t//g
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...