search

serilog-contrib / serilog-sinks-splunk

A Serilog sink that writes to Splunk
https://splunk.com
Apache License 2.0
46 stars 47 forks source link

Default fields added by serilog to splunk #62

Closed sksksksksksk closed 7 years ago

sksksksksksk commented 7 years ago

Is there any way to remove the default fields such as level, template etc. added by serilog while logging data to splunk.

merbla commented 7 years ago

Hi @sksksksksksk,

Some options are available such as turning off template rendering.

renderTemplate: false

Checkout the sample at https://github.com/serilog/serilog-sinks-splunk/blob/dev/sample/Sample/Program.cs#L177

I think the other you mentioned would be new features, they would not be hard to achieve however would stay enabled by default. The easier way to customised the event in Splunk is to extend/override the JSON formatter used. The default uses the package's JSON formatter and could be extended to achieve what you are looking for.

sksksksksksk commented 7 years ago 
public class SOFormatte : ITextFormatter
{
     new public void Format(LogEvent logEvent, TextWriter output)
    {
        output.Write("{");
        output.Write("hello from serilog");
        output.Write("}\n");
        output.Dispose();
        output.Flush();
    }
}

class Program
{
    public static void Main()
    {
                Log.Logger = new LoggerConfiguration()
                .MinimumLevel.Verbose()
                .WriteTo.EventCollector(
                      myhost,mytoken,
                     jsonFormatter:new SOFormatte(),                    
                    uriPath:"services/collector"
                )
                .WriteTo.Console(new SOFormatte())
                .CreateLogger(); 
                Log.Information(" hello");
                Log.CloseAndFlush();
    }
}

The above code is able to modify console output but is not logging anything to splunk. Why would that be?

merbla commented 7 years ago

@sksksksksksk sorry just got back to this one.

I have not had a chance to test your example. It is possible, however that the formatter in the example above is not respecting the payload Splunk is expecting.

There is a SplunkJsonFormatter that is used internally to achieve this.

Details are here.

Shrutikhurana commented 7 years ago

Ok.. thanks.. It's working now... The format was a little messed up. I corrected it.

merbla commented 7 years ago

👍