However, I just have a couple other things that would be nice to clean up. For one, I got some errors when it is run. Here are the errors:
command="jsonkvrecursive", Error : Traceback: Traceback (most recent call last): File "C:\Program Files\Splunk\etc\apps\jsonutils\bin\jsonkvrecursive.py", line 53, in <module> handle_dict(r, json.loads(json_text)) File "C:\Program Files\Splunk\Python-2.6\Lib\json\__init__.py", line 307, in loads return _default_decoder.decode(s) File "C:\Program Files\Splunk\Python-2.6\Lib\json\decoder.py", line 319, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) File "C:\Program Files\Splunk\Python-2.6\Lib\json\decoder.py", line 336, in raw_decode obj, end = self._scanner.iterscan(s, **kw).next() File "C:\Program Files\Splunk\Python-2.6\Lib\json\scanner.py", line 55, in iterscan rval, next_pos = action(m, context) File "C:\Program Files\Splunk\Python-2.6\Lib\json\decoder.py", line 183, in JSONObject value, end = iterscan(s, idx=end, context=context).next() File "C:\Program Files\Splunk\Python-2.6\Lib\json\scanner.py", line 55, in iterscan rval, next_pos = action(m, context) File "C:\Program Files\Splunk\Python-2.6\Lib\json\decoder.py", line 155, in JSONString return scanstring(match.string, match.end(), encoding, strict) ValueError: Unterminated string starting at: line 1 column 5326 (char 5326)
command="jsonkvrecursive", Error : Traceback: Traceback (most recent call last): File "C:\Program Files\Splunk\etc\apps\jsonutils\bin\jsonkvrecursive.py", line 51, in <module> json_text = raw[ raw.index( '{' ) : raw.rindex( '}' )+1 ] ValueError: substring not found
I'm not sure if there's something I can do to avoid that error when logging?
The other thing is that when I run splunk on my log file piped to jsonkvrecursive and it pulls out the fields, it also, still, displays the full JSON log message. I'd actually prefer to only see the fields that are pulled out. It almost defeats the purpose of pulling the fields out to still see the pre-parsed JSON log message. Is there some setting on Splunk to get it to stop showing me that? Here's an example:
1 3/2/12
4:50:49.000 PM
{"TimeStamp":"03-02-12 4:50:49 PM","ComponentFileName":"C:\\Output.php","EventName":"DEBUG","ThrowableInformation":null,"componentConstituentType":"xxx","ClientIpAddress":"127.0.0.1","ThreadID":"7220","controlID":"cd0f3bcc-38fd-1d27-bd77-516952222c0a","EventDescription":"Total execution time: 0.4504","LineNumber":"395","componentName":"yyy","MethodName":"_display","RenderedMessage":"Total execution time: 0.4504","ClassName":"CI_Output"}
TimeStamp=03-02-12 4:50:49 PM Options|
RenderedMessage=Total execution time: 0.4504 Options|
EventName=DEBUG Options|
ClientIpAddress=127.0.0.1 Options|
controlID=cd0f3bcc-38fd-1d27-bd77-516952222c0a Options
I'd rather just see the things at the bottom.
Thanks.
... View more