tcp {
codec => line { format => "%{test1}" }
host => "127.0.0.1"
port => 7515
id => "TCP-SPLUNK-test1"
}
I can do same for all cloned items, but i guess there is more clever way to do it.
Last one is question related to identifying events - something like:
if format is { "test1":{},"test2":{},"test3":{},"test4":{} }
then do something
else do something different
I guess this should be done with grok, but I'll play whit that after manage to fix first 2 issues.
Yes, all json elements from test1 should go to root json.
General idea is to ingest content of nested jsons as separate events - maybe there is better idea ...
You're right, not skilled naf event to read ruby code.
Should check and adapt it a bit as not it's generated 3000+ lines output - somehow multiplied events ~15 times
What about identifying specific format ? Developers are migrating to this new format and for sometime I'll get mix old events (what is inside test1, test2 etc) as single events and new type of events, where I've this combination of nested jsons ?
if somehow i manage to tag new events, i can put this ruby filter.
if it's not, then process with old filters.
As ruby solution is not acceptable for our support guys, i've requested developers to change format of logging to:
{
"result": [{
"field1": "valuex",
"field2": "valuey"
Idea is to generate X amount of single events, based on nested jsons.
Importunately when i use split it's generating separate events, but again inside nested json
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.