Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

PutSplunk processor and Splunk group multiple syslog jsons into one event

avatar
author-rank wbu author-rank
Expert Contributor

Created on ‎01-01-2017 07:54 PM - edited ‎08-19-2019 04:49 AM

Hi,

I'm using PutSplunk processor to sink syslogs in json format to Splunk server.

But on Splunk side, I see multiple json are grouped in one event.

10967-screen-shot-2017-01-01-at-195227.png

How can I configure my PutSplunk and Splunk server to see one json for each event?

Regards,

Wendell

3,213 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank wbu author-rank
Expert Contributor

Created ‎01-03-2017 04:22 PM

Hi,

Actually, the flowfile in the queue before the PutSplunk does contain only one json.

For some reason the Splunk group them together. If I choose different json type (no timestamp) in splunk data, then each json in one event. But @Bryan Bende's "Message Delimiter" worth to be added.

Regards,

Wendell

View solution in original post

2,849 Views
0 Kudos
0
4 REPLIES 4

avatar
author-rank andrewg author-rank
Guru

Created ‎01-03-2017 04:06 PM

Make sure you split data using the SplitJson processor in NiFi before putting into Splunk. The reason is the syslog receiver may bundle incoming messages based on the network setup, but knows nothing about actual data format like json.

2,849 Views
0 Kudos

avatar
author-rank bbende author-rank
Master Guru

Created ‎01-03-2017 04:06 PM

PutSplunk has two modes of operating, it can send the entire content of the flow file as a single message, or it can stream the content of a flow file and separate it based on a delimiter. The way it chooses between these modes is based on whether or not the "Message Delimiter" property is set in PutSplunk.

In your case I am assuming you have multiple JSON documents in a flow file, so you probably want to set the "Message Delimiter" to whatever is separating them, likely a \n.

2,849 Views
0 Kudos

avatar
author-rank wbu author-rank
Expert Contributor

Created ‎01-03-2017 04:22 PM

Hi,

Actually, the flowfile in the queue before the PutSplunk does contain only one json.

For some reason the Splunk group them together. If I choose different json type (no timestamp) in splunk data, then each json in one event. But @Bryan Bende's "Message Delimiter" worth to be added.

Regards,

Wendell

2,850 Views
0 Kudos
0

avatar
author-rank sumanth_kumar
New Contributor

Created on ‎05-06-2019 10:05 PM - edited ‎08-19-2019 04:49 AM

Hello @Wendell Bu , I am trying same , to send events from Nifi to Splunk (using putSplunk processor) . I was stuck initially , not able to see events in splunk . My AttributetoJSON (In my view data provenance ,I see raw logs are converted to JSON format) is connected to putSplunk processor , It has hostname,port and message delimiter configured as in below screenshot . On splunk side , input port is defined . Not sure if i am missing something .Can you please let me know if there are any other steps, i need to follow ?

108425-screen-shot-2019-05-06-at-115642-am.png


Appreciate your help in advance !

2,849 Views
0 Kudos
Announcements
Community Announcements
April 2025 Cloudera Customer Advisory: Cloudera’s response t...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
View More Announcements