I have a non-JSON as well as JSON data in my log events. While indexing, I formed a regex and used TRANSFORM to convert non-JSON part of the string to JSON so that automatic fields extractions take place. It is working as expected. The only issue here is, I would like to have logs in original format (non-JSON as well as JSON) but not as a completely converted JSON string on Splunk. Is there a way to have the log conversion take place at the backend but fields are extracted fine and displayed in interesting fields and original data should get displayed in Splunk??
↧