Monthly Archives: April 2017

Getting Splunk to capture JSON fragments

While it is recommended to use machine readable logging structures, it can be difficult to set up Splunk to read them. ┬áHere’ how: In the props.conf on the universal forwarders, use something like [mysourcetype] INDEXED_EXTRACTIONS = JSON TIMESTAMP_FIELDS = Time … Continue reading

Posted in Uncategorized | Leave a comment