Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with logs line breaking issue?

ajitdev381
Engager
‎05-25-2023 07:42 AM

My application logs json object . Sample logs look like this:

 

 

{"ts":"05 25 2023 14:57:05.114","msg":"Listeners is invoked"
								 }
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=nonheap,id=Metaspace} value=117.305855 MiB"
								 }
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=nonheap,id=CodeHeap 'profiled nmethods'} value=41.941772 MiB"
								 }
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=nonheap,id=CodeHeap 'non-profiled nmethods'} value=18.53479 MiB"
								 }
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=heap,id=G1 Old Gen} value=82.355469 MiB"
								 }

 

 

 

if you notice above , my application prints } in next line along with extra tabs \t

In splunk, these logs are not represented as json , All these above text are shown in one line . I learn about LINE_BREAKER and tried following line break regex but nothing worked

1) 
SHOULD_LINEMERGE=false
LINE_BREAKER=([\t]+{)

2) 
SHOULD_LINEMERGE=false
LINE_BREAKER=([\n\t]+{)

3) 
SHOULD_LINEMERGE=false
BREAK_ONLY_BEFORE=\{"ts":
SEDCMD-add_closing_bracket=s/\"$/"}/g

#3 works , splunk shows extra ending bracket with tabs

 

 

								 }

 

 

 I want splunk should consider every json object irrespective of tab and ending bracket } in next line . Please help

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-25-2023 09:41 AM

Try this variation of option 3.

SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=\{"ts":
SEDCMD-removeTabs=s/\t//g
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-25-2023 09:41 AM

Try this variation of option 3.

SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=\{"ts":
SEDCMD-removeTabs=s/\t//g
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...