Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Log parsing - JSON

pm2012
Explorer
‎02-26-2024 07:56 PM
Hi SMEs, morning I have a situation where logs are coming from an application recently on-boarded in below format, seems like they are in JSON and should be parsed as per key:value mechanism. Any suggestion how to fix it. Many thanks in advance <11>1 2024-02-27T03:22:53.376823921Z hostname-1 ipsec ipsecd[85] log - {"time":"2024-02-27T03:22:53.376823921Z","type":"log","level":"error","log":{"msg":"et_backend: connection failed while getting et keys"},"process":"ipsecd[85]","service":"ipsec","system":"hostname-1","neid":"414399","container":"784722400000","host":"hostname-1","timezone":"UAT"}
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-26-2024 11:40 PM

There has always been a problem with parsing a "headered" structured data. There is even an open idea about it. https://ideas.splunk.com/ideas/EID-I-208

The easiest way to go about it would be probably to parse the header into indexed fields if needed (most of it should already be parsed into _time and host; you could however want to have the process name and pid stored) and then strip the header completely with SEDCMD or INGEST_EVAL (I don't remember if SEDCMD works before or after transforms are called).

This way you'd be left with an all-json event which Splunk can handle with proper KV_MODE.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...