Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

PutSplunk processor and Splunk group multiple syslog jsons into one event

avatar
author-rank wbu author-rank
Expert Contributor

Created on ‎01-01-2017 07:54 PM - edited ‎08-19-2019 04:49 AM

Hi,

I'm using PutSplunk processor to sink syslogs in json format to Splunk server.

But on Splunk side, I see multiple json are grouped in one event.

10967-screen-shot-2017-01-01-at-195227.png

How can I configure my PutSplunk and Splunk server to see one json for each event?

Regards,

Wendell

2,895 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank wbu author-rank
Expert Contributor

Created ‎01-03-2017 04:22 PM

Hi,

Actually, the flowfile in the queue before the PutSplunk does contain only one json.

For some reason the Splunk group them together. If I choose different json type (no timestamp) in splunk data, then each json in one event. But @Bryan Bende's "Message Delimiter" worth to be added.

Regards,

Wendell

View solution in original post

2,531 Views
0 Kudos
4 REPLIES 4

avatar
author-rank andrewg author-rank
Guru

Created ‎01-03-2017 04:06 PM

Make sure you split data using the SplitJson processor in NiFi before putting into Splunk. The reason is the syslog receiver may bundle incoming messages based on the network setup, but knows nothing about actual data format like json.

2,531 Views
0 Kudos

avatar
author-rank bbende author-rank
Master Guru

Created ‎01-03-2017 04:06 PM

PutSplunk has two modes of operating, it can send the entire content of the flow file as a single message, or it can stream the content of a flow file and separate it based on a delimiter. The way it chooses between these modes is based on whether or not the "Message Delimiter" property is set in PutSplunk.

In your case I am assuming you have multiple JSON documents in a flow file, so you probably want to set the "Message Delimiter" to whatever is separating them, likely a \n.

2,531 Views
0 Kudos

avatar
author-rank wbu author-rank
Expert Contributor

Created ‎01-03-2017 04:22 PM

Hi,

Actually, the flowfile in the queue before the PutSplunk does contain only one json.

For some reason the Splunk group them together. If I choose different json type (no timestamp) in splunk data, then each json in one event. But @Bryan Bende's "Message Delimiter" worth to be added.

Regards,

Wendell

2,532 Views
0 Kudos

avatar
author-rank sumanth_kumar
New Contributor

Created on ‎05-06-2019 10:05 PM - edited ‎08-19-2019 04:49 AM

Hello @Wendell Bu , I am trying same , to send events from Nifi to Splunk (using putSplunk processor) . I was stuck initially , not able to see events in splunk . My AttributetoJSON (In my view data provenance ,I see raw logs are converted to JSON format) is connected to putSplunk processor , It has hostname,port and message delimiter configured as in below screenshot . On splunk side , input port is defined . Not sure if i am missing something .Can you please let me know if there are any other steps, i need to follow ?

108425-screen-shot-2019-05-06-at-115642-am.png


Appreciate your help in advance !

2,531 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements