Hi,
My use case is:
I am using splunk universal forwarder to forward logs. And I am able to send the logs to Splunk. I would like to parse the logs by breaking them into multiple lines as below
Now I am getting my log as
{ [-]
log: {someinformation of appication here {msg"a":"1","b":"2","c":"3","d":"4"
}
I want my log to be appear as
so i want to extract the field so that it should appear as below in the splunk ui
{ [-]
log: {someinformation of appication here {msg-"a":"1","b":"2","c":"3","d":"4"}
}
msg-{
a:1
b:2
c:3
d:4
}
I am adding below lines in props.conf
[kubernetes]
CHARSET=UTF-8
SHOULD_LINEMERGE=false
NO_BINARY_CHECK = true
# remove docker json wrapper, then remove escapes from the quotes in the log message.
SEDCMD-1_unjsonify = s/{"log":"(?:\u[0-9]+)?(.?)\n","stream./\1/g
SEDCMD-2_unescapequotes = s/\"/"/g
# another exprimental version of the sed.
#SEDCMD-1_unjsonify = s/{"log":"(?:\u[0-9]+)?(.)\n","stream.?([\n\r])/\1\2/g
category = Custom
disabled = false
pulldown_type = true
TRUNCATE=150000
TZ=UTC
Any help is appreciated.
Thanks.
Hello,
as I understand, you did not define any field extraction or precise sourcetype.
Please have a look at:
https://docs.splunk.com/Documentation/SplunkCloud/7.0.3/Data/Whysourcetypesmatter
and
http://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/ExtractfieldsinteractivelywithIFX
Thanks for your response. I did mention the sourcetype. Where should I mention the field extractor ?