<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Can not choose default sourcetype=_json while onboarding in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Can-not-choose-default-sourcetype-json-while-onboarding/m-p/678925#M113459</link>
    <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/262216"&gt;@Sandivsu&lt;/a&gt;&amp;nbsp;- Not sure if you can do that with props and transforms. But I'll provide a solution you can apply at the search query level.&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;index=&amp;lt;your-index&amp;gt; .....
| rex field=_raw "\s\w+\[\w+\]:\s(?&amp;lt;json_content&amp;gt;\{.*\})"
| spath input=json_content&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I hope this helps!!! Kindly upvote if it does!!!&lt;/P&gt;</description>
    <pubDate>Wed, 28 Feb 2024 05:21:14 GMT</pubDate>
    <dc:creator>VatsalJagani</dc:creator>
    <dc:date>2024-02-28T05:21:14Z</dc:date>
    <item>
      <title>Can not choose default sourcetype=_json while onboarding</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Can-not-choose-default-sourcetype-json-while-onboarding/m-p/678889#M113455</link>
      <description>&lt;P&gt;We can not choose default source type _json while onboarding.&lt;/P&gt;&lt;P&gt;Need to extract the json data within the log file, which is essential for an app owner.&lt;/P&gt;&lt;P&gt;log format -&amp;nbsp;&lt;SPAN&gt;&lt;SPAN class=""&gt;2024-01-01T09:50:44+01:00 hostname APP2SAP[354]: {JSON data}&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;&lt;SPAN class=""&gt;I have a splunk intermediate forwarder read these log files. Log file has non-json data followed by json data which bread n butter for application team (log format as shown above).&lt;BR /&gt;&lt;BR /&gt;If I forward the data as-is to splunk, extraction is not proper, since it has non-json data at beginning.&lt;BR /&gt;&lt;BR /&gt;Now, I need props n (or) transforms to extract, which I am not sure how.&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 27 Feb 2024 18:24:06 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Can-not-choose-default-sourcetype-json-while-onboarding/m-p/678889#M113455</guid>
      <dc:creator>Sandivsu</dc:creator>
      <dc:date>2024-02-27T18:24:06Z</dc:date>
    </item>
    <item>
      <title>Re: Can not choose default sourcetype=_json while onboarding</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Can-not-choose-default-sourcetype-json-while-onboarding/m-p/678925#M113459</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/262216"&gt;@Sandivsu&lt;/a&gt;&amp;nbsp;- Not sure if you can do that with props and transforms. But I'll provide a solution you can apply at the search query level.&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;index=&amp;lt;your-index&amp;gt; .....
| rex field=_raw "\s\w+\[\w+\]:\s(?&amp;lt;json_content&amp;gt;\{.*\})"
| spath input=json_content&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I hope this helps!!! Kindly upvote if it does!!!&lt;/P&gt;</description>
      <pubDate>Wed, 28 Feb 2024 05:21:14 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Can-not-choose-default-sourcetype-json-while-onboarding/m-p/678925#M113459</guid>
      <dc:creator>VatsalJagani</dc:creator>
      <dc:date>2024-02-28T05:21:14Z</dc:date>
    </item>
    <item>
      <title>Re: Can not choose default sourcetype=_json while onboarding</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Can-not-choose-default-sourcetype-json-while-onboarding/m-p/678956#M113464</link>
      <description>&lt;P&gt;Unfortunately, at the moment Splunk cannot automatically extract the structured data if it's not the whole event (as in your case - the json part is preceeded by non-json header).&lt;/P&gt;&lt;P&gt;There is an open idea for that &lt;A href="https://ideas.splunk.com/ideas/EID-I-208" target="_blank"&gt;https://ideas.splunk.com/ideas/EID-I-208&lt;/A&gt;&lt;/P&gt;&lt;P&gt;So far you can either parse the json part in search with help of the spath command as &lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/93915"&gt;@VatsalJagani&lt;/a&gt; already showed or cut away the header part using SEDCMD or INGEST_EVAL (possibly extracting indexed fields if needed prior to removing the non-structured part).&lt;/P&gt;&lt;P&gt;As a side note - you should _not_ use the _json sourcetype. Define your own&lt;/P&gt;</description>
      <pubDate>Wed, 28 Feb 2024 11:53:06 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Can-not-choose-default-sourcetype-json-while-onboarding/m-p/678956#M113464</guid>
      <dc:creator>PickleRick</dc:creator>
      <dc:date>2024-02-28T11:53:06Z</dc:date>
    </item>
  </channel>
</rss>

