×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ajitdev381
Engager
Member since: ‎05-25-2023
‎06-02-2023
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎05-25-2023
Activity Feed
View All

some json log lines are merged into one block

by in Splunk Search
‎06-02-2023 05:37 AM
‎06-02-2023 05:37 AM
Our application prints logs in json format . example  {"ts":"05 30 2023 10:30:00.013","th":"logging-metrics-publisher","level":"INFO ","logger":"LoggingMeterRegistry","msg":"jvm.threads.states{state=timed-waiting} value=40 threads" } {"ts":"05 30 2023 10:30:00.012","th":"logging-metrics-publisher","level":"INFO ","logger":"LoggingMeterRegistry","msg":"jvm.threads.states{state=waiting} value=222 threads" } Some logs are displayed in json format and some are not . json format logs are generated by same code .  but i am not sure why some logs are shown in same block like this. we haven't put anything in props file   ... View more
Labels

Help with logs line breaking issue?

by in Splunk Search
‎05-25-2023 07:42 AM
‎05-25-2023 07:42 AM
My application logs json object . Sample logs look like this:     {"ts":"05 25 2023 14:57:05.114","msg":"Listeners is invoked" } {"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=nonheap,id=Metaspace} value=117.305855 MiB" } {"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=nonheap,id=CodeHeap 'profiled nmethods'} value=41.941772 MiB" } {"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=nonheap,id=CodeHeap 'non-profiled nmethods'} value=18.53479 MiB" } {"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=heap,id=G1 Old Gen} value=82.355469 MiB" }       if you notice above , my application prints } in next line along with extra tabs \t In splunk, these logs are not represented as json , All these above text are shown in one line . I learn about LINE_BREAKER and tried following line break regex but nothing worked 1)  SHOULD_LINEMERGE=false LINE_BREAKER=([\t]+{) 2)  SHOULD_LINEMERGE=false LINE_BREAKER=([\n\t]+{) 3)  SHOULD_LINEMERGE=false BREAK_ONLY_BEFORE=\{"ts": SEDCMD-add_closing_bracket=s/\"$/"}/g #3 works , splunk shows extra ending bracket with tabs     }      I want splunk should consider every json object irrespective of tab and ending bracket } in next line . Please help ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-02-2023 09:27 AM
Karma given to
View All