Splunk logs aren’t parsed correctly

This article addresses the common symptoms of the issue and the steps to correct the log entry format for proper parsing in Splunk.

Description description

Environment

Adobe Experience Manager as a Cloud Service (AEMaaCS)

Issue/Symptoms

While using Splunk for log analysis in conjunction with Adobe Experience Manager (AEM) each line of a stack trace is incorrectly parsed as an individual event. This causes the logs (especially the custom logs) to appear concatenated or may also appear to not be parsed correctly.

When integrating custom logs with Splunk, it’s crucial that the logs are formatted correctly for Fluent Bit, the log processor utilized by Splunk. The standard format expected is:


dd.MM.yyyy HHss.SSS *LEVEL* [ logger] message


If the logs are not adhering to this format, particularly regarding the encapsulation of the log level with asterisks and the precise timestamp format, Splunk may mistakenly treat each line of a multiline log entry, such as a stack trace, as separate events.

Resolution resolution

To rectify the log parsing issue in Splunk, update the custom logging implementation within AEM to follow the required format. For those using SLF4J with Logback or other frameworks, the log pattern should be configured as follows:

{0,date,dd.MM.yyyy HHss.SSS} *{4}* [ {3}] {5}

Please note the placement of asterisks around the log level placeholder {4}. This minor discrepancy can affect the parsing process, leading to parsing and display issues in Splunk.

This pattern ensures that the log entries match the expected format, with the log level surrounded by asterisks and the date in the day-month-year order.

For comprehensive instructions on setting up and configuring logging formats in AEM as a Cloud Service, please refer to the logging documentation.

By conforming to the specified log format, customers can ensure that Splunk correctly parses multiline log entries, facilitating more effective monitoring and analysis.