Solved: How to parse combined JSON and Syslog event?

mzeb · ‎08-27-2019

I have an event that has a syslog preamble with a JSON body.
They take this shape:

<190>0 2019-08-27T17:51:22.876570+00:00 ip-10-0-29-201 assurance-rails-staging 28462 - 6 info  {"method":"GET","path":"/agent/callbacks/refresh","format":"json","controller":"agent/lead_callbacks","action":"refresh","status":200,"duration":10.49,"view":0.56,"db":3.8,"params":{},"instance_id":"i-0fc05874277d98a0d","remote_ip":"27.34.111.207, 10.0.4.231"}

The syslog parses wonderfully but the JSON does not. Is there an easy way to make this happen? Thanks.

MuS · ‎08-27-2019

Hi mzeb,

based on the provided sample event you can setup props.conf and transforms.conf on your search head like this:

transforms.conf

  [myTransform]
  REGEX = "([^"]+)":((?:[\d\.\{\}]+)|\"(?:[^"]+))
  FORMAT = $1::$2

props.conf

[mySourceType]
REPORT-myUniqueClassName = myTransform

This will create new fields with names like method,path or format and so on, with value like GET,/agent/callbacks/refresh or json.

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎08-27-2019

Hi mzeb,

based on the provided sample event you can setup props.conf and transforms.conf on your search head like this:

transforms.conf

  [myTransform]
  REGEX = "([^"]+)":((?:[\d\.\{\}]+)|\"(?:[^"]+))
  FORMAT = $1::$2

props.conf

[mySourceType]
REPORT-myUniqueClassName = myTransform

This will create new fields with names like method,path or format and so on, with value like GET,/agent/callbacks/refresh or json.

Hope this helps ...

cheers, MuS

How to parse combined JSON and Syslog event?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!