Splunkforwarder and json/.out

Typically we have been successful at getting the splunk forwarder to index log files from the remote instance onto an indexer in this manner:

[monitor://D:\Splunk\application\applog.log]
disable=0
followTail=0
sourcetype=LogFile

However we are looking to index two OTHER file types -- for which this skeleton does not work:

i) Logging .out files:
If I replace applog.log with applog.out it should work seamlessly (they are both simply different formats of logfiles). That does not happen, the forwarder does not push out any data from the applog.out file.

ii) Logging .json files:

I have a daily-rolled-over logfile by the name of run-data.json that I need to index.

However it being in a JSON format - I need to figure out a strategy (convert it to xml or string) first and then push the data in there onto a forwarder.

Needless to say, the json data does not have any timestamps in it currently which, by itself presents a big issue.

Any pointers ?

asked 11 Jul '12, 14:03

asarolkar
69●2●15
accept rate: 17%

Be the first one to answer this question!

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

universal-forwarder ×293
sourcetype ×248
inputs.conf ×149
log ×96
json ×46

Asked: 11 Jul '12, 14:03

Seen: 534 times

Last updated: 11 Jul '12, 14:03

Splunkforwarder and json/.out

Follow this question

Splunk Resources

Related questions