https://community.splunk.com/t5/Getting-Data-In/What-are-the-requirements-for-a-perfect-Splunk-JSON-document/m-p/349922#M64235 <P>Our Sales Engineer told us that the Splunk json parser requires several specific things in the json document, in order to be interpreted as json. What are they?</P> <P>We would like to avoid hard-coded solutions such as <A href="https://answers.splunk.com/answers/607375/how-do-we-assign-each-json-document-to-a-distinct-1.html">How do we assign each JSON document to a distinct event?</A></P> Tue, 30 Jan 2018 15:00:56 GMT ddrillic 2018-01-30T15:00:56Z https://community.splunk.com/t5/Getting-Data-In/What-are-the-requirements-for-a-perfect-Splunk-JSON-document/m-p/349922#M64235 <P>Our Sales Engineer told us that the Splunk json parser requires several specific things in the json document, in order to be interpreted as json. What are they?</P> <P>We would like to avoid hard-coded solutions such as <A href="https://answers.splunk.com/answers/607375/how-do-we-assign-each-json-document-to-a-distinct-1.html">How do we assign each JSON document to a distinct event?</A></P> Tue, 30 Jan 2018 15:00:56 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-the-requirements-for-a-perfect-Splunk-JSON-document/m-p/349922#M64235 ddrillic 2018-01-30T15:00:56Z https://community.splunk.com/t5/Getting-Data-In/What-are-the-requirements-for-a-perfect-Splunk-JSON-document/m-p/349923#M64236 <P>Why not just apply base configs to your JSON file and have it break correctly rather than trying to format the log to Splunk? </P> <P>If you let Splunk try to figure out the linebreaking, it will add additional overhead to your indexing and slow it down. </P> <P>Adding this will give you correct linebreaking and timestamping along with avoiding the merging pipeline which increases your indexing speed </P> <PRE><CODE>[sourcetype] TIME_PREFIX = TIME_FORMAT = LINE_BREAKER = SHOULD_LINEMERGE = false MAX_TIMESTAMP_LOOKAHEAD = TRUNCATE = </CODE></PRE> <P><A href="https://wiki.splunk.com/Community:HowIndexingWorks">https://wiki.splunk.com/Community:HowIndexingWorks</A></P> Tue, 30 Jan 2018 15:09:09 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-the-requirements-for-a-perfect-Splunk-JSON-document/m-p/349923#M64236 skoelpin 2018-01-30T15:09:09Z https://community.splunk.com/t5/Getting-Data-In/What-are-the-requirements-for-a-perfect-Splunk-JSON-document/m-p/349924#M64237 <P>@skoelpin, good question.</P> <P>We have teams that can form their json logs per the Splunk's needs. So, we are lucky in this sense.</P> Tue, 30 Jan 2018 15:44:14 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-the-requirements-for-a-perfect-Splunk-JSON-document/m-p/349924#M64237 ddrillic 2018-01-30T15:44:14Z https://community.splunk.com/t5/Getting-Data-In/What-are-the-requirements-for-a-perfect-Splunk-JSON-document/m-p/349925#M64238 <P>We were told by the Sales Engineer that as long as it's proper JSON, all we need to do is set -</P> <PRE><CODE>INDEXED_EXTRACTIONS = json category = Structured </CODE></PRE> <P>in <CODE>props.conf</CODE>.</P> Tue, 30 Jan 2018 16:43:23 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-the-requirements-for-a-perfect-Splunk-JSON-document/m-p/349925#M64238 ddrillic 2018-01-30T16:43:23Z https://community.splunk.com/t5/Getting-Data-In/What-are-the-requirements-for-a-perfect-Splunk-JSON-document/m-p/349926#M64239 <P>Your sales engineer is partially right, but you should ALWAYS apply base configs to lessen the indexer load when indexing data. This is a big part of the SCC2 bootcamp </P> Tue, 30 Jan 2018 16:48:57 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-the-requirements-for-a-perfect-Splunk-JSON-document/m-p/349926#M64239 skoelpin 2018-01-30T16:48:57Z https://community.splunk.com/t5/Getting-Data-In/What-are-the-requirements-for-a-perfect-Splunk-JSON-document/m-p/349927#M64240 <P>Much appreciated @skoelpin.</P> Tue, 30 Jan 2018 16:56:12 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-the-requirements-for-a-perfect-Splunk-JSON-document/m-p/349927#M64240 ddrillic 2018-01-30T16:56:12Z https://community.splunk.com/t5/Getting-Data-In/What-are-the-requirements-for-a-perfect-Splunk-JSON-document/m-p/349928#M64241 <P>This solution works!!!</P> Fri, 02 Feb 2018 00:21:11 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-the-requirements-for-a-perfect-Splunk-JSON-document/m-p/349928#M64241 ddrillic 2018-02-02T00:21:11Z https://community.splunk.com/t5/Getting-Data-In/What-are-the-requirements-for-a-perfect-Splunk-JSON-document/m-p/349929#M64242 <P>For the record, the predefined _json sourcetype has these two defined config variables -</P> <PRE><CODE> INDEXED_EXTRACTIONS = json category = Structured </CODE></PRE> Fri, 16 Mar 2018 01:19:35 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-the-requirements-for-a-perfect-Splunk-JSON-document/m-p/349929#M64242 ddrillic 2018-03-16T01:19:35Z