If you format the content of your log message using key=value pairs, then Splunk will automatically extract these at search time. This log message gets sent in the body of the REST HTTP Request.
The url argument key=value pairs are for defining Splunk meta data fields(index, source, sourcetype, host, host_regex)
The Splunk Java Logging Framework provides a useful interface to make it easier to create best practice log messages and integrate with your preferred logging framework ie: there are log4j, logback appenders that will seamlessly handle logging to the SPLUNK RestEndpoint. Download it and look at the examples.
I only want to see the added key=value pairs below the raw data, not together with the raw data.
When i tried adding the raw data and the key=value pairs to the content body of rest http request like this using java rest sdk api,
reqMsg.setContent("rawdata1 - hater = yes, nothater = no");
i see this added on the search app.
rawdata1 - hater = yes, nothater = no
(for the added raw data value)
the new fields hater and nohater are added below the raw field.
I just want the rawdata1 as the raw data value. Has it to be done using Java logging framework if i'm using java.
Then, When i opened the search app to see the added data, i saw both the new fields and the raw data which is the key=value pairs that i set directly added.
I set the key=value pairs into the body of the REST HTTP request directly using Java REST SDK API. Example :
RequestMessage reqMsg = new RequestMessage();
reqMsg.setMethod("post");
reqMsg.getHeader().put("x-splunk-input-mode", "streaming");
reqMsg.setContent("hater = yes, nothater = no");
Then i send the message to the simple reciever rest endpoint.
String path = "/services/receivers/simple?host=localhost&index=main&source=addfields&sourcetype=addedfields";
ResponseMessage resMsg = authService.send(path,reqMsg);
Never mind. Thanks.
Ok, can't help you with how the logback framework works. Sorry.
I wanted to format the log message into key value pairs using logback framework and append the log message to the Splunk rest receivers endpoint. I'm doing these all in java I wanted to append the formatted log message to an outputstream appender and get an outputstream object to be sent to the splunk's rest recievers stream endpoint.
I'm wanted to format the log message with sample key value pairs like this.
logger.debug("wrap = true, setValue = false,")
I don't know what socket appenders you are talking about.
I still think the best idea for you would be to show as a complete case what you're trying to achieve, with example data and an actual use-case, rather than asking about small details one at a time. But, that's just me.
I have been looking through logback and i would like to ask for the log message formatted with key=value pairs, they are sent to the Splunk endpoint by socket appenders. Is that right?
You could format it any way you want. Splunk only extracts keys and values automatically if they follow the key=value standard, but if you format it differently it's just a matter of creating field extractions for your specific log format instead.
What are the other ways to format the log message?
No, it is simply a framework to make it easier for you.
Is it necessary to format the log message using the Splunk logging framework?
You can add fields in the data in key=value pairs and they will be extracted automatically.
See also the docs on the receivers endpoint
I mean in the same place the data of the event is sent, not as extra parameters
Are you sure? It didn't work.
I appended the key value pairs in the REST API endpoint url. I appended the source and sourcetype and they appear during the search, but not the additional fields that i created.