Hello,
I've been trying to parse logs from Docker and used this Splunk answer (https://answers.splunk.com/answers/611715/docker-logs-produced-in-raw.html) to extract the underlying logs from the Docker JSON.
The underlying logs are also in JSON, so I'm trying to get Splunk to recognize the opening "{" as the start of the event. However, I'm finding that some sources are still dividing each line of the log into a separate event, while some sources are creating a single event with multiple JSON blobs.
Here is my props.conf:
[source::/var/log/containers/*]
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true
LINE_BREAKER = ([\n\r]+){"log":"{\n # setting line break as opening "{" in underlying JSON
CHARSET = UTF-8
disabled = false
[container_json]
CHARSET=UTF-8
SHOULD_LINEMERGE=false
NO_BINARY_CHECK = true
SEDCMD-1_unjsonify = s/{"log":"(?:\\u[0-9]+)?(.*?)\\n","stream.*/\1/g
SEDCMD-2_unescapequotes = s/\\"/"/g
category = Custom
disabled = false
pulldown_type = true
TRUNCATE=150000
TZ=UTC
KV_MODE = json
This is the log sent from Docker:
{"log":"{\n","stream":"stdout","time":"2018-03-06T18:56:08.648972915Z"}
{"log":" \"time\": \"2018-03-06 18:56:08.648636Z\",\n","stream":"stdout","time":"2018-03-06T18:56:08.649029831Z"}
{"log":" \"nothing_to_update\": true,\n","stream":"stdout","time":"2018-03-06T18:56:08.64903929Z"}
{"log":" \"events\": [\n","stream":"stdout","time":"2018-03-06T18:56:08.649045009Z"}
{"log":"\n","stream":"stdout","time":"2018-03-06T18:56:08.649050131Z"}
{"log":" ]\n","stream":"stdout","time":"2018-03-06T18:56:08.649054914Z"}
{"log":"}\n","stream":"stdout","time":"2018-03-06T18:56:08.649059571Z"}
This is the extracted source in Splunk, but each line is showing up as individual events:
{
"time": "2018-03-06 18:56:08.648636Z",
"nothing_to_update": true,
"events": [
]
}
I have other source files that seem to be working, but they are concatenating several JSON logs together. This source file shows up as one single event:
{
"time": "2018-03-06 18:56:18.507756Z",
"events": [
"No emails to send"
]
}
{
"time": "2018-03-06 18:56:18.514313Z",
"events": [
"No emails to send"
]
}
I've tried many different props.conf configurations, and this is the closest I've gotten to parsing the JSON properly. The extracted source for both examples is valid JSON, so I'm not sure why some source files are divided into line-by-line events but others are combining multiple JSON events into one.
Any help would be greatly appreciated!
... View more