All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk App for Jenkins: Is there a way to treat each log as a single Splunk event without changing the .conf files?

ss026381
Communicator
‎03-06-2017 12:50 PM

I am using Splunk App for Jenkins. I need to treat each build log as a single event in Splunk. Every time I get the data in Splunk, it breaks it on timestamp. Considering I do not have access to the conf files, is there an option in the app configuration to send the log file as a single event.

I found some answers: https://answers.splunk.com/answers/106075/each-file-as-one-single-splunk-event.html on this topic, but they all talk about changing in .conf file.

If I have to change in .conf file, I may ask admin to make this change but I don't know what change I have to make. Where would I use ((?!)) or ((*FAIL)) to achieve this? Do I have to make changes to prop.conf and input.conf? would that change has to go on Splunk server?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

txiao_splunk
Splunk Employee
Splunk Employee
‎03-07-2017 01:02 AM

If you only want to correlate the log text, have you tried 

index=jenkins_artifact source="*/blah.log" | transaction source
index=jenkins_console source="*/job_name/console" | transaction source

If your log file is structure data and you don't splunk break it line by line, please try use misc_text as source type in the advance section

alt text

the text will be kept as single event until it exceeds 256KB or 200000 lines

256KB is the default "Max Events Batch Size" in Jenkins plugin advance section.
200000 is the misc_text source type limit, if want to overwrite this, you have to touch props.conf in Splunk

Note: It is only tested on latest Splunk version and Jenkins plugin version

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution
Solution

txiao_splunk
Splunk Employee
Splunk Employee
‎03-07-2017 01:02 AM

If you only want to correlate the log text, have you tried 

index=jenkins_artifact source="*/blah.log" | transaction source
index=jenkins_console source="*/job_name/console" | transaction source

If your log file is structure data and you don't splunk break it line by line, please try use misc_text as source type in the advance section

alt text

the text will be kept as single event until it exceeds 256KB or 200000 lines

256KB is the default "Max Events Batch Size" in Jenkins plugin advance section.
200000 is the misc_text source type limit, if want to overwrite this, you have to touch props.conf in Splunk

Note: It is only tested on latest Splunk version and Jenkins plugin version

Preview file
1 KB
Reply
Solved! Jump to solution

ss026381
Communicator
‎03-07-2017 11:24 AM

So transaction command gives me what I want, But when I click on the event and try to open the source, it shows error. I guess it is expected because the transaction command can combine events from multiple sources into single event.

Right?

0 Karma
Reply
Solved! Jump to solution

ss026381
Communicator
‎03-07-2017 08:08 AM

Thank you Txiao for the answer. First option worked for me but second option didn't work for me. Every time I select "Raw events supported" checked, I don't see any console log event in Splunk. Also when I choose custom source type in option, I still see detault source type (" text:jenkins") in Splunk

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...