Looking for assistance with regex when extracting ...

rhendle · ‎03-01-2019

Original syslog format of json message:

Feb 25 16:24:24 hostname.fqdn.com Feb 25 22:24:24 log-forwarder-pn4c9 edge-443-7f98575954-k4h8q_rtf_ed {"log":"\u003clogEntry\u003e\u003cheader\u003e\u003ctime\u003e2019-02-25T22:24:24.232620\u003c/time\u003e\u003cnode\u003ehostname.fqdn.com\u003c/node\u003e\u003clogType\u003eINPUT_SERVER\u003c/logType\u003e\u003clogLevel\u003eINFO\u003c/logLevel\u003e\u003cprocess\u003esecurityfabric-edge-runtime\u003c/process\u003e\u003cpid\u003e4266\u003c/pid\u003e\u003ctid\u003e4280\u003c/tid\u003e\u003cfile\u003e/edge/cbrcore/src/protocols/http/http/HTTP_Server.cpp\u003c/file\u003e\u003cline\u003e715\u003c/line\u003e\u003c/header\u003e\u003cbody\u003e\u003cinfoMsg\u003eHttpInputServeradding rule [input: /prc-well, output: /$, app: prc-well-prd.ef3e3855-8f93-4c20-9542-bcaa7a966ed0.svc.cluster.local, ssl_redirect: 1, upstream https: 0, streaming: 0] for virtual host: api.chk.com\u003c/infoMsg\u003e\u003c/body\u003e\u003c/logEntry\u003e\n","stream":"stdout","time":"2019-02-25T22:24:24.232912499Z"}

After implementing regex example extraction from article https://answers.splunk.com/answers/548539/can-you-extract-json-syslog-automatically.html?utm_source=...

[sourcetype]
SEDCMD-strip_prefix = s/^[^{]+//g
INDEXED_EXTRACTIONS=JSON
KV_MODE=none

Example updated logged event in Splunk:

    { [-] 
       log: INFO  2019-02-25 22:43:18,350 [[MuleRuntime].cpuLight.02: [prc-well-prd].api-get-well.CPU_LITE @3432afd5] [event: 133781fd-65af-41da-99b6-905dfcfe6dc3] org.mule.extension.jsonlogger.JsonLogger: {"applicationName":"prc-well","applicationVersion":"1.0.2","content":"{\n  \"correlationId\": \"b8a3ad0c-976d-4c3e-b4c3-9a1977483920\",\n  \"parentMessageId\": \"\",\n  \"businessEntityName\": \"well\",\n  \"businessKey\": \"113262\",\n  \"originatingApplicationName\": \"/10.244.100.0:52500\",\n  \"businessProcessName\": \"well management\"\n}","correlationId":"133781fd-65af-41da-99b6-905dfcfe6dc3","elapsed":"1","environment":"prd","locationInfo":{"component":"json-logger:logger","fileName":"prc-well-api-implementation.xml","lineInFile":"49","location":"api-get-well/processors/2","rootContainer":"api-get-well"},"message":"Start api-get-well","priority":"INFO","threadName":"[MuleRuntime].cpuLight.02: [prc-well-prd].api-get-well.CPU_LITE @3432afd5","timestamp":"2019-02-25T22:43:16.044Z","tracePoint":"START"}

   stream: stdout 
   time: 2019-02-25T22:43:18.449706618Z 
}

But I'm actually looking for regex assistance in automatically parsing out the json fields after org.mule.extension.jsonlogger.JsonLogger so that I don't have to create manual extractions in SPLUNK.

log: INFO  2019-02-25 22:43:18,350 [[MuleRuntime].cpuLight.02: [prc-well-prd].api-get-well.CPU_LITE @3432afd5] [event: 133781fd-65af-41da-99b6-905dfcfe6dc3] org.mule.extension.jsonlogger.JsonLogger: {

THANK YOU!!!

damann · ‎03-05-2019

Did you already tried to choose _json as sourcetype for your events?

rhendle · ‎03-05-2019

Yes but since this is really json inside of syslog (the application's only output is syslog but the data sent to syslog is Json) it doesn't work.

I'm able to extract each field using field extractions in the splunk search head (Saas) but was hoping for a more efficient way to on the HF (on premise) to extract and forward just the full json message to splunk.

Thanks!

Looking for assistance with regex when extracting json from inside of syslog events

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!