Hi,
I have logs from Docker in JSON format posted to Splunk HTTP Event Collector. All fields are dynamically recognized, but the last field **tag** is never recognized. Is it possible that this is due to the duplicate **source** field just before field **tag**? The source field seems to be a default Splunk field and it’s extracted twice : in the raw and in the input source.
Here's some examples of some JSON events:
{"line":{"time":"2018-09-05 15:39:27.370","level":"silly","message":"Healthcheck:Completed"},"source":"stdout","tag":"dc7eb5ace680","attrs":{"appName":"ms-chatservice","appType":"microservice"}}
{"line":{"time":"2018-09-05 15:56:27.267","level":"debug","message":"KafkaBase.getTopicMetadata: Test"},"source":"stdout","tag":"6960306e978c","attrs":{"appName":"ms-chatservice","appType":"microservice"}}
{"line":"\u001b[0mGET /api/protected/notifications?skip=0\u0026limit=100 \u001b[36m304 \u001b[0m56.743 ms - -\u001b[0m","source":"stdout","tag":"1b6e7b4e756e","attrs":{"appName":"web-pro","appType":"webapp"}}
Does someone have an idea why?
Regards,
↧