topic Re: JSON, TCP Input and _meta in Getting Data In

JSON, TCP Input and _meta

jeanmatthieu — Fri, 24 Oct 2014 12:19:48 GMT

Hi!

I'm sending a JSON document to a TCP Data Input on my Splunk server.
I noticed the magical field _time that allows me to set the time stamp the event occurred on and was hoping I could use _meta to add fields to be indexed automatically.

For example, is there a way to extract 'computer' and 'browser' fields from the below JSON automatically ?

{
    "_meta": "computer::MacBook Pro browser::Safari",
    "_time":"2014-10-24'T'11:59:01'Z'",
}

Thank you for your help,
Jean-Matthieu

Re: JSON, TCP Input and _meta

MuS — Fri, 24 Oct 2014 12:27:39 GMT

Take a look at the spath command http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Spath this should help you....

Re: JSON, TCP Input and _meta

gkanapathy — Fri, 24 Oct 2014 15:26:14 GMT

You should just use normal JSON fields and don't worry about _meta as that's mainly for internal Splunk use. The entire JSON is already indexed, and if you set KV_MODE = json for the source/sourcetype in props.conf (on the search head), then Splunk will automatically do extractions on all JSON fields. Do you have any particular reason to want to create extra indexes for other fields?

Re: JSON, TCP Input and _meta

jeanmatthieu — Fri, 24 Oct 2014 23:06:18 GMT

Nice. Thank you. Is there a way to limit what gets transformed into a fields please ?
The KV_MODE addition to props.conf created 15000+ fields and I only really need about 20 of these.

I use _meta in the default stanza in ./etc/system/local/inputs.conf through the forwarder when pushing computer logs.
I would like to create/index the same fields when pushing json from my app through tcp.

Thank you for your help!