We have started using the Http Event Collector (HEC) for logging directly from our Java apps. HEC takes data in JSON format but we have a lot of legacy code that logs key/value pairs and some searches/dashboards that utilize these. Data logged to HEC is by default indexed as the _json sourcetype and I have tried to configure this with KV_MODE=auto (for key/value) and json (for json-format) but none of these seem to trigger Splunk to index key/values. Example log statement:
logger.info("corrId=11-1111-566 aa=88");
However, I have not been able to search on the keys, e.g. _search aa=88_
The event looks like this:
![alt text][1]
[1]: /storage/temp/217736-screenshot-2017-10-03-095137.png
Raw format: {"severity":"INFO","logger":"splunk.logger","thread":"main","message":"corrId=11-1111-566 aa=88"}
Any ideas?
↧