my application is using rsyslog to write logs, so anyway i need to find way to change the log format because it's not standard JSON.
rsyslog default fromat is TIMESTAMP HOSTNAME APP MSG
so we solved this issue by creating new template at syslog without timestamp,hostname,application (in other words - just JSON messages)
By adding at /etc/rsyslog.d/mysqpplication.conf:
$template MyTemplate,"%msg%\n"
:programname, isequal, "MYSQPP" @10.0.100.220:555;MyTemplate
And add to /opt/splunk/etc/system/local/props.conf
[MyApp]
pulldown_type = true
INDEXED_EXTRACTIONS = json
KV_MODE = JSON
category = Structured
description = MyApp
... View more