Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sending rsyslog JSON format

shaharl
Engager
‎10-13-2015 02:38 PM

Hello,

I have tried today to integrate Splunk with Rsyslog that Contains JSON.
The issue is that rsyslog is sending the information with timestamp, hostname, and application name before the JSON message that my application made.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

shaharl
Engager
‎10-14-2015 12:57 AM

my application is using rsyslog to write logs, so anyway i need to find way to change the log format because it's not standard JSON.

rsyslog default fromat is TIMESTAMP HOSTNAME APP MSG

so we solved this issue by creating new template at syslog without timestamp,hostname,application (in other words - just JSON messages)

By adding at /etc/rsyslog.d/mysqpplication.conf:
$template MyTemplate,"%msg%\n"
:programname, isequal, "MYSQPP" @10.0.100.220:555;MyTemplate

And add to /opt/splunk/etc/system/local/props.conf
[MyApp]
pulldown_type = true
INDEXED_EXTRACTIONS = json
KV_MODE = JSON
category = Structured
description = MyApp

View solution in original post

0 Karma
Reply
Solved! Jump to solution

stmyers7941
Path Finder
‎10-14-2015 05:42 AM

I did this with a similar situation where a syslog header was added to the front of XML events. In props.conf, make a LINE_BREAKER setting for the sourcetype (or whatever) and add the regex for the syslog header, and end with the opening of your JSON (XML in my example):

`[sam:xml]
# Strips syslog header and makes events pure XML
LINE_BREAKER = (\d\s\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}-\d{2}:\d{2}\s[\w_-]+\s[\w-_]+\s\d+\s-\s-\s)
SHOULD_LINEMERGE = false`

Obviously, your regex will vary. Post a sample event if you need help with the regex.

Reply
Solved! Jump to solution
Solution

shaharl
Engager
‎10-14-2015 12:57 AM

my application is using rsyslog to write logs, so anyway i need to find way to change the log format because it's not standard JSON.

rsyslog default fromat is TIMESTAMP HOSTNAME APP MSG

so we solved this issue by creating new template at syslog without timestamp,hostname,application (in other words - just JSON messages)

By adding at /etc/rsyslog.d/mysqpplication.conf:
$template MyTemplate,"%msg%\n"
:programname, isequal, "MYSQPP" @10.0.100.220:555;MyTemplate

And add to /opt/splunk/etc/system/local/props.conf
[MyApp]
pulldown_type = true
INDEXED_EXTRACTIONS = json
KV_MODE = JSON
category = Structured
description = MyApp

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎10-13-2015 09:57 PM

JSON and Syslog are different formats and dont particularly play well together due to the nature of the format of syslog. There are some custom rules you can compile for Rsyslog that will help with JSON.

BUT.. since you're using Splunk, why are you trying to ingest these with rsyslog? Why not use a Splunk Universal Forwarder and ingest the JSON files directly into Splunk. Splunk understands JSON format with no problems..

Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎10-13-2015 02:55 PM

Can you post some sample log entries?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...