Reputation: 71
Serilog Splunk logged parameters are nested within "event"
Serilog with Splunk sink writes events in nested structure. It wraps my logged parameters into "events" object. While watching logs on Splunk every time I have to press on "+" to expand properties that are actually useful for me. It slows down process of analyzing logs significantly.
Example of how logs are shown:
Is there a way to affect the structure sent to Splunk, like brining everything in "event" one level up? Or maybe there's some setting which could help in Splunk itself?
Upvotes: 0
Views: 531
Answers (2)
Reputation: 483
added this to your search might help you manually look though the logs
|spath event
|spath input=event (this part is optional)
|table event
Upvotes: 0
Reputation: 7349
This appears to be JSON structured data with an 'event' and 'time' field, which is awfully reminiscent of the structure that is used by the 'event' endpoint version of the HTTP Event Collector in Splunk.
Could it be that Serilog is sending to hxxps://yourhechost:port/services/collector/raw when it should be sending to hxxps://yourhechost:port/services/collector/event instead?
Upvotes: 2
Related Questions
- Custom LogEventLevel with Serilog
- Serilog request logging ends up in event log
- Serilog Splunk is not logging messages
- Problems ingesting events into Seq from Serilog
- Change / override log event level in Serilog
- Enriching serilog logs with EventId
- splunk is reporting each line of stacktrace as a separate event
- Dynamically set EventID when logging to Event Viewer using Serilog
- Cannot associate Event ID in Event Log using Serilog
- Serilog: Logging different types of log events