Looking for assistance with regex when extracting ...

rhendle · ‎03-01-2019

Original syslog format of json message:

Feb 25 16:24:24 hostname.fqdn.com Feb 25 22:24:24 log-forwarder-pn4c9 edge-443-7f98575954-k4h8q_rtf_ed {"log":"\u003clogEntry\u003e\u003cheader\u003e\u003ctime\u003e2019-02-25T22:24:24.232620\u003c/time\u003e\u003cnode\u003ehostname.fqdn.com\u003c/node\u003e\u003clogType\u003eINPUT_SERVER\u003c/logType\u003e\u003clogLevel\u003eINFO\u003c/logLevel\u003e\u003cprocess\u003esecurityfabric-edge-runtime\u003c/process\u003e\u003cpid\u003e4266\u003c/pid\u003e\u003ctid\u003e4280\u003c/tid\u003e\u003cfile\u003e/edge/cbrcore/src/protocols/http/http/HTTP_Server.cpp\u003c/file\u003e\u003cline\u003e715\u003c/line\u003e\u003c/header\u003e\u003cbody\u003e\u003cinfoMsg\u003eHttpInputServeradding rule [input: /prc-well, output: /$, app: prc-well-prd.ef3e3855-8f93-4c20-9542-bcaa7a966ed0.svc.cluster.local, ssl_redirect: 1, upstream https: 0, streaming: 0] for virtual host: api.chk.com\u003c/infoMsg\u003e\u003c/body\u003e\u003c/logEntry\u003e\n","stream":"stdout","time":"2019-02-25T22:24:24.232912499Z"}

After implementing regex example extraction from article https://answers.splunk.com/answers/548539/can-you-extract-json-syslog-automatically.html?utm_source=...

[sourcetype]
SEDCMD-strip_prefix = s/^[^{]+//g
INDEXED_EXTRACTIONS=JSON
KV_MODE=none

Example updated logged event in Splunk:

    { [-] 
       log: INFO  2019-02-25 22:43:18,350 [[MuleRuntime].cpuLight.02: [prc-well-prd].api-get-well.CPU_LITE @3432afd5] [event: 133781fd-65af-41da-99b6-905dfcfe6dc3] org.mule.extension.jsonlogger.JsonLogger: {"applicationName":"prc-well","applicationVersion":"1.0.2","content":"{\n  \"correlationId\": \"b8a3ad0c-976d-4c3e-b4c3-9a1977483920\",\n  \"parentMessageId\": \"\",\n  \"businessEntityName\": \"well\",\n  \"businessKey\": \"113262\",\n  \"originatingApplicationName\": \"/10.244.100.0:52500\",\n  \"businessProcessName\": \"well management\"\n}","correlationId":"133781fd-65af-41da-99b6-905dfcfe6dc3","elapsed":"1","environment":"prd","locationInfo":{"component":"json-logger:logger","fileName":"prc-well-api-implementation.xml","lineInFile":"49","location":"api-get-well/processors/2","rootContainer":"api-get-well"},"message":"Start api-get-well","priority":"INFO","threadName":"[MuleRuntime].cpuLight.02: [prc-well-prd].api-get-well.CPU_LITE @3432afd5","timestamp":"2019-02-25T22:43:16.044Z","tracePoint":"START"}

   stream: stdout 
   time: 2019-02-25T22:43:18.449706618Z 
}

But I'm actually looking for regex assistance in automatically parsing out the json fields after org.mule.extension.jsonlogger.JsonLogger so that I don't have to create manual extractions in SPLUNK.

log: INFO  2019-02-25 22:43:18,350 [[MuleRuntime].cpuLight.02: [prc-well-prd].api-get-well.CPU_LITE @3432afd5] [event: 133781fd-65af-41da-99b6-905dfcfe6dc3] org.mule.extension.jsonlogger.JsonLogger: {

THANK YOU!!!

damann · ‎03-05-2019

Did you already tried to choose _json as sourcetype for your events?

rhendle · ‎03-05-2019

Yes but since this is really json inside of syslog (the application's only output is syslog but the data sent to syslog is Json) it doesn't work.

I'm able to extract each field using field extractions in the splunk search head (Saas) but was hoping for a more efficient way to on the HF (on premise) to extract and forward just the full json message to splunk.

Thanks!

Looking for assistance with regex when extracting json from inside of syslog events

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation