"monolog/monolog": "^2.0" All of the logging statements are logged as different entries.
{
"message": "http:\/\/docker.for.mac.localhost:1000",
"context":
{
"$a": "val_a",
"$b": val_b,
"$c": val_c,
"$d": val_d,
}
"level": 200,
"level_name": "INFO",
}
Logged as :
log 1 : "message": "http:\/\/docker.for.mac.localhost:1000",
log 2 : "$a": "val_a",
log 3 : "$b": val_b,
log 4 : "$c": val_c,
log 5 : "$d": val_d,
By default, Splunk treats each line of data as a separate event. However, you can override that using settings in a props.conf file. It's a Best Practice to have props.conf settings for every sourcetype ingested.
These props should help. Install them on the indexers and heavy forwarders (if any).
[mysourcetype]
# Break events prior to "message", assuming this is always first
LINE_BREAKER = ([\r\n]+)\{"message
# No timestamp is seen in the events so assign the current time
DATETIME_CONFIG = current
SHOULD_LINEMERGE = false
KV_MODE = json