Hi All,
Today I encapsulate system logs in a JSON structure in order to add metadata that I would like to add to Splunk:
Raw field:
{"@metadata":
{"type":"log","beat":"filebeat"},
"beat":{
"name":"server3",
"hostname":"server3",
"version":"5.4.0"},
"fields":{
"siteId":"Sweden"
"source":"/root/log/currentLog.log"
,"offset":916645,
"type":"log",
"message": 2018-05-21T04:36:52.685 WARN: This is a warning",
"@timestamp":"2018-05-21T02:37:27.919Z",
"input_type":"log"
}
The actual log line is in the "message" field. Because this is JSON, Splunk parses it easily and extracts the fields nicely.
Now my issue is when I perform searches on this data, having the whole JSON structure in the _raw field is very cumbersome and prevents me from using the normal events viewer to browse the logs (because of all the extra information around the data i'm interested in)
My questions:
- Is there a way (via transforms/props) to replace _raw by the field "message" while keeping the fields saved at index time?
-If the above solution is not possible/not clean, is there a way for me to somehow send metadata on top of _raw when i send the data via TCP?
Thanks in advance,
Benoit
... View more