Monthly Archives: April 2017

Getting Splunk to capture JSON fragments

While it is recommended to use machine readable logging structures, it can be difficult to set up Splunk to read them.  Here’ how: In the props.conf on the universal forwarders, use something like [mysourcetype] INDEXED_EXTRACTIONS = JSON TIMESTAMP_FIELDS = Time … Continue reading

Posted in Uncategorized | Leave a comment