Splunk Search

Looking for assistance with regex when extracting json from inside of syslog events

rhendle
Observer

Original syslog format of json message:

Feb 25 16:24:24 hostname.fqdn.com Feb 25 22:24:24 log-forwarder-pn4c9 edge-443-7f98575954-k4h8q_rtf_ed {"log":"\u003clogEntry\u003e\u003cheader\u003e\u003ctime\u003e2019-02-25T22:24:24.232620\u003c/time\u003e\u003cnode\u003ehostname.fqdn.com\u003c/node\u003e\u003clogType\u003eINPUT_SERVER\u003c/logType\u003e\u003clogLevel\u003eINFO\u003c/logLevel\u003e\u003cprocess\u003esecurityfabric-edge-runtime\u003c/process\u003e\u003cpid\u003e4266\u003c/pid\u003e\u003ctid\u003e4280\u003c/tid\u003e\u003cfile\u003e/edge/cbrcore/src/protocols/http/http/HTTP_Server.cpp\u003c/file\u003e\u003cline\u003e715\u003c/line\u003e\u003c/header\u003e\u003cbody\u003e\u003cinfoMsg\u003eHttpInputServeradding rule [input: /prc-well, output: /$, app: prc-well-prd.ef3e3855-8f93-4c20-9542-bcaa7a966ed0.svc.cluster.local, ssl_redirect: 1, upstream https: 0, streaming: 0] for virtual host: api.chk.com\u003c/infoMsg\u003e\u003c/body\u003e\u003c/logEntry\u003e\n","stream":"stdout","time":"2019-02-25T22:24:24.232912499Z"}

After implementing regex example extraction from article https://answers.splunk.com/answers/548539/can-you-extract-json-syslog-automatically.html?utm_source=...

[sourcetype]
SEDCMD-strip_prefix = s/^[^{]+//g
INDEXED_EXTRACTIONS=JSON
KV_MODE=none

Example updated logged event in Splunk:

    { [-] 
       log: INFO  2019-02-25 22:43:18,350 [[MuleRuntime].cpuLight.02: [prc-well-prd].api-get-well.CPU_LITE @3432afd5] [event: 133781fd-65af-41da-99b6-905dfcfe6dc3] org.mule.extension.jsonlogger.JsonLogger: {"applicationName":"prc-well","applicationVersion":"1.0.2","content":"{\n  \"correlationId\": \"b8a3ad0c-976d-4c3e-b4c3-9a1977483920\",\n  \"parentMessageId\": \"\",\n  \"businessEntityName\": \"well\",\n  \"businessKey\": \"113262\",\n  \"originatingApplicationName\": \"/10.244.100.0:52500\",\n  \"businessProcessName\": \"well management\"\n}","correlationId":"133781fd-65af-41da-99b6-905dfcfe6dc3","elapsed":"1","environment":"prd","locationInfo":{"component":"json-logger:logger","fileName":"prc-well-api-implementation.xml","lineInFile":"49","location":"api-get-well/processors/2","rootContainer":"api-get-well"},"message":"Start api-get-well","priority":"INFO","threadName":"[MuleRuntime].cpuLight.02: [prc-well-prd].api-get-well.CPU_LITE @3432afd5","timestamp":"2019-02-25T22:43:16.044Z","tracePoint":"START"}

   stream: stdout 
   time: 2019-02-25T22:43:18.449706618Z 
}

But I'm actually looking for regex assistance in automatically parsing out the json fields after org.mule.extension.jsonlogger.JsonLogger so that I don't have to create manual extractions in SPLUNK.

log: INFO  2019-02-25 22:43:18,350 [[MuleRuntime].cpuLight.02: [prc-well-prd].api-get-well.CPU_LITE @3432afd5] [event: 133781fd-65af-41da-99b6-905dfcfe6dc3] org.mule.extension.jsonlogger.JsonLogger: {

THANK YOU!!!

0 Karma

damann
Communicator

Did you already tried to choose _json as sourcetype for your events?

0 Karma

rhendle
Observer

Yes but since this is really json inside of syslog (the application's only output is syslog but the data sent to syslog is Json) it doesn't work.

I'm able to extract each field using field extractions in the splunk search head (Saas) but was hoping for a more efficient way to on the HF (on premise) to extract and forward just the full json message to splunk.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...