https://community.cloudera.com/t5/Archives-of-Support-Questions/PutSplunk-processor-and-Splunk-group-multiple-syslog-jsons/m-p/106791#M50541 <P>Hello <A rel="user" href="https://community.cloudera.com/users/13466/wbu.html" nodeid="13466" target="_blank">@Wendell Bu</A> , I am trying same , to send events from Nifi to Splunk (using putSplunk processor) . I was stuck initially , not able to see events in splunk . My AttributetoJSON (In my view data provenance ,I see raw logs are converted to JSON format) is connected to putSplunk processor , It has hostname,port and message delimiter configured as in below screenshot . On splunk side , input port is defined . Not sure if i am missing something .Can you please let me know if there are any other steps, i need to follow ? </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="108425-screen-shot-2019-05-06-at-115642-am.png" style="width: 1614px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/23496i0B816FF8DE4F7D06/image-size/medium?v=v2&amp;px=400" role="button" title="108425-screen-shot-2019-05-06-at-115642-am.png" alt="108425-screen-shot-2019-05-06-at-115642-am.png" /></span></P><P><BR /></P><P>Appreciate your help in advance !</P> Mon, 19 Aug 2019 11:49:34 GMT sumanth_kumar 2019-08-19T11:49:34Z https://community.cloudera.com/t5/Archives-of-Support-Questions/PutSplunk-processor-and-Splunk-group-multiple-syslog-jsons/m-p/106787#M50537 <P>Hi,</P><P>I'm using PutSplunk processor to sink syslogs in json format to Splunk server.</P><P>But on Splunk side, I see multiple json are grouped in one event.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="10967-screen-shot-2017-01-01-at-195227.png" style="width: 2880px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/23497iB7DD066D8C375B2B/image-size/medium?v=v2&amp;px=400" role="button" title="10967-screen-shot-2017-01-01-at-195227.png" alt="10967-screen-shot-2017-01-01-at-195227.png" /></span></P><P>How can I configure my PutSplunk and Splunk server to see one json for each event?</P><P>Regards,</P><P>Wendell</P> Mon, 19 Aug 2019 11:49:42 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/PutSplunk-processor-and-Splunk-group-multiple-syslog-jsons/m-p/106787#M50537 wbu 2019-08-19T11:49:42Z https://community.cloudera.com/t5/Archives-of-Support-Questions/PutSplunk-processor-and-Splunk-group-multiple-syslog-jsons/m-p/106788#M50538 <P>Make sure you split data using the SplitJson processor in NiFi before putting into Splunk. The reason is the syslog receiver may bundle incoming messages based on the network setup, but knows nothing about actual data format like json.</P> Wed, 04 Jan 2017 00:06:47 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/PutSplunk-processor-and-Splunk-group-multiple-syslog-jsons/m-p/106788#M50538 andrewg 2017-01-04T00:06:47Z https://community.cloudera.com/t5/Archives-of-Support-Questions/PutSplunk-processor-and-Splunk-group-multiple-syslog-jsons/m-p/106789#M50539 <P>PutSplunk has two modes of operating, it can send the entire content of the flow file as a single message, or it can stream the content of a flow file and separate it based on a delimiter. The way it chooses between these modes is based on whether or not the "Message Delimiter" property is set in PutSplunk.</P><P> In your case I am assuming you have multiple JSON documents in a flow file, so you probably want to set the "Message Delimiter" to whatever is separating them, likely a \n. </P> Wed, 04 Jan 2017 00:06:54 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/PutSplunk-processor-and-Splunk-group-multiple-syslog-jsons/m-p/106789#M50539 bbende 2017-01-04T00:06:54Z https://community.cloudera.com/t5/Archives-of-Support-Questions/PutSplunk-processor-and-Splunk-group-multiple-syslog-jsons/m-p/106790#M50540 <P>Hi,</P><P>Actually, the flowfile in the queue before the PutSplunk does contain only one json.</P><P>For some reason the Splunk group them together. If I choose different json type (no timestamp) in splunk data, then each json in one event. But <A rel="user" href="https://community.cloudera.com/users/363/bbende.html" nodeid="363">@Bryan Bende</A>'s "Message Delimiter" worth to be added.</P><P>Regards,</P><P>Wendell</P> Wed, 04 Jan 2017 00:22:55 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/PutSplunk-processor-and-Splunk-group-multiple-syslog-jsons/m-p/106790#M50540 wbu 2017-01-04T00:22:55Z https://community.cloudera.com/t5/Archives-of-Support-Questions/PutSplunk-processor-and-Splunk-group-multiple-syslog-jsons/m-p/106791#M50541 <P>Hello <A rel="user" href="https://community.cloudera.com/users/13466/wbu.html" nodeid="13466" target="_blank">@Wendell Bu</A> , I am trying same , to send events from Nifi to Splunk (using putSplunk processor) . I was stuck initially , not able to see events in splunk . My AttributetoJSON (In my view data provenance ,I see raw logs are converted to JSON format) is connected to putSplunk processor , It has hostname,port and message delimiter configured as in below screenshot . On splunk side , input port is defined . Not sure if i am missing something .Can you please let me know if there are any other steps, i need to follow ? </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="108425-screen-shot-2019-05-06-at-115642-am.png" style="width: 1614px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/23496i0B816FF8DE4F7D06/image-size/medium?v=v2&amp;px=400" role="button" title="108425-screen-shot-2019-05-06-at-115642-am.png" alt="108425-screen-shot-2019-05-06-at-115642-am.png" /></span></P><P><BR /></P><P>Appreciate your help in advance !</P> Mon, 19 Aug 2019 11:49:34 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/PutSplunk-processor-and-Splunk-group-multiple-syslog-jsons/m-p/106791#M50541 sumanth_kumar 2019-08-19T11:49:34Z