Hello Splunk community,
Currently I am doing research as an intern at a government agency if their Windows services written in C# can have their logging end up in a Splunk environment. All of these services use the Windows Enterprise Library which can be easily modified to fit the Splunk logging best practices with just configuration files. After changing these, I ended up with the following format:
2016-10-27 14:10:28.41 TZ DST, type=trace, level=Information, category=IN, threadid=12732, servicenaam="LogExample v2.vshost", machinenaam="DPCV74", berichttype="Berichttype x", eventid="10", bericht="Dit is een log met een ander bericht type en bericht id en logtype"
The problem is that the 'bericht' variable and possible other variables may contain quotes in the value. These could be from an XML message being logged or exception traces containing double quotes. This breaks Splunk and results in wrong parameters being detected and line breaks not working properly.
I've tried the following things;
* Changing the quotes to double dollar sings for the 'bericht' variable. (eventid=x, bericht=$$testvalue with quotes `"` and single `'` $$)
* Overriding the Enterprise Library TextFormatter and stripping out quotes before writting to log
* Write to JSON format
I successfully extracted the fields using the 'Extract new fields' function and Regular Expressions in Splunk Web with the first solution, but I don't think this is the best way for this problem. The second solution would be a lot cleaner, but requires much more changes to the system and therefore has a bigger impact. (Would require changes to code for 100+ services)
The third solution is impossible with the version of Enterprise Library that is being used (JsonLogFormatter is introduced in version 6+)
If code would have to be changed, would using the Splunk C# HTTP Event Collector help with this issue?
Sadly, I didn't find a lot on this issue other than 'just strip the quotes', so hopefully someone can help me.
Thanks,
Martijn
↧
How to configure Splunk to properly parse logs that contain one or more values with double quotes?
↧