- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Couldn't parse and extract mixed data (json and te...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Couldn't parse and extract mixed data (json and text)
Hi,
I am not able to send my logfile into 2 sourcetypes (json and non-json). Below is my config. I know the fix might be a simple one. It's just that I am not getting anywhere near it. Need your expertise solution.
:::::::::::::::::inputs.conf:::::::::::::::: Only 1 monitor stanza is being picked. How can I parse the log file into two source types? Or any better solution?
[monitor://\\server1\sdata$\]
sourcetype = Custom_W22
index=0_nojson
whitelist = (app1.log)
recursive=false
interval = 10
crcSalt = <SOURCE>
[monitor://\\server1\sdata$]
sourcetype = myjson
index=0_myjson
whitelist = (\app1.log)
recursive=false
interval = 10
crcSalt = <SOURCE>
::::::::::::props.conf::::::::::::::::::::::::::::::
-----Here I have used current DATETIME_CONFIG which ignores my timestamps. I can fix the timestamps after indexing. Otherwise, the parsing was slow---------
[Custom_W22]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Miscellaneous
TRANSFORMS-set = discardAll,queue2resp
disabled = false
pulldown_type = true
DATETIME_CONFIG = CURRENT
TRUNCATE = 100000
[myjson]
SEDCMD-strip_prefix = s/^[^{]+//g
INDEXED_EXTRACTIONS=JSON
NO_BINARY_CHECK = true
category = Custom
description = myjson custom
disabled = false
pulldown_type = true
TRUNCATE = 100000
MAX_EVENTS = 10000
::::::::::::::::::transforms.conf::::::::::::::::::::::::::
[discardAll]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue
[queue2resp]
REGEX=(\<Tracker\s+\[pointer)
DEST_KEY=queue
FORMAT=indexQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
More observations:
1)
Both the stanzas work fine if the source logfile is different. My requirement is that I need ONE logfile parsed to TWO sourcetypes.
2) While testing JSON data alone, found that "crcSalt = <SOURCE> " is not working. A new line addition at the tail of the log is re-indexing the whole log and duplicating my splunk events.
I am able to fix it by using below config. Need to know if there are any drawbacks with this approach in the future? Note: followTail is working fine even if the logfile gets archived and a new file with same name gets created.
crcSalt = <SOURCE>
followTail = 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
:::::::::::::::::::Work around::::::::::::
Monitor JSON of 1.log - configure input, props and transforms at Forwarder end to push data to the Indexer
Monitor Non-json of same 1.log - configure input, props and transforms at Indexer end to pull data from Forwarder
I am not sure if this a recommended approach. Splunkexperts - please suggest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@nareshinsvu Please go through the following document and let me know if it helps!
https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Advancedsourcetypeoverrides
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sandyIscream - This doesn't help as myjson of my props doesn't need transforms.conf. So, I cant use transforms regex and seperate json events to a different index / sourcetype.
A working example of the config will actually help me to try and test
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
