×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
grrtt
Observer
Member since: ‎03-28-2022
‎04-01-2022
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-28-2022
View All

Re: Troubles with parsing for my first time

by in Getting Data In
‎04-01-2022 04:45 PM
‎04-01-2022 04:45 PM
I was able to take some of the input you provided and get into transforms so now it is all parsing and searchable. Thank you for the help   @splunk:~$ cat /opt/splunk/etc/system/local/props.conf [Untangle] KV_MODE = json TRANSFORMS-untangle = Untangle_transform @splunk:~$ cat /opt/splunk/etc/system/local/transforms.conf [Untangle_transform] SOURCE_KEY = _raw DEST_KEY = _raw REGEX = ({.+}) FORMAT = $1 ... View more

Re: Troubles with parsing for my first time

by in Getting Data In
‎03-29-2022 08:18 PM
‎03-29-2022 08:18 PM
I tried    EXTRACT-json = (?P<json>\{.+)     This does look to remove the beginning portion of the log as I'd like, but does not parse the json. I was hoping that setting the index extractor to json would parse the remaining json log into fields for me as doing the search with spath does.    ... View more

Can I parse data prepended to json logs upon loggi...

by in Getting Data In
‎03-28-2022 06:55 PM
‎03-28-2022 06:55 PM
I'm having some troubles parsing data prepended to json logs. I can do it via search, but I'd like to do it upon logging within splunk so I can search the parsed data. Can you point me in the right direction and if I can do this via the UI or need to go into props.conf manually? This is working via search       sourcetype="Untangle"| rex "(?<json>\{.+)" | spath input=json         What I've tried in props.conf       [untangle] EXTRACT-untangle=(?<json>\{.+)       Example Log:       Mar 29 01:45:04 _gateway Mar 28 20:45:04 INFO uvm[0]: {"timeStamp":"2022-03-28 20:45:04.762","s2pBytes":160,"p2sBytes":65,"sessionId":107845676257000,"endTime":0,"class":"class com.untangle.uvm.app.SessionStatsEvent","c2pBytes":65,"p2cBytes":160}         ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-01-2022 08:06 PM