https://community.splunk.com/t5/Getting-Data-In/Can-you-extract-JSON-syslog-automatically/m-p/352470#M64602 <P>Trying to get my syslog in json format to extract properly.</P> <P>I've tried using INDEXED_EXTRACTIONS=JSON as well as KV_MODE=json(not at the same time) and neither have worked.</P> <P>Here is a short sample log</P> <PRE><CODE>Jun 13 15:41:27 host.domain.com {"account_id":"678", "legacy_domain_id":"12345", "visitor_ip":"xx.xxx.xxx.xx", "time":"1497368487.007","request":"GET /stuff/search/stuff/morestuff"} </CODE></PRE> <P>Unfortunately it doesnt seem to be working as nothing gets extracted.<BR /> I'm sure its something I'm doing or something with the log format.<BR /> Any help would be apprciated.<BR /> Thanks!</P> Tue, 29 Sep 2020 14:29:40 GMT tkwaller 2020-09-29T14:29:40Z https://community.splunk.com/t5/Getting-Data-In/Can-you-extract-JSON-syslog-automatically/m-p/352470#M64602 <P>Trying to get my syslog in json format to extract properly.</P> <P>I've tried using INDEXED_EXTRACTIONS=JSON as well as KV_MODE=json(not at the same time) and neither have worked.</P> <P>Here is a short sample log</P> <PRE><CODE>Jun 13 15:41:27 host.domain.com {"account_id":"678", "legacy_domain_id":"12345", "visitor_ip":"xx.xxx.xxx.xx", "time":"1497368487.007","request":"GET /stuff/search/stuff/morestuff"} </CODE></PRE> <P>Unfortunately it doesnt seem to be working as nothing gets extracted.<BR /> I'm sure its something I'm doing or something with the log format.<BR /> Any help would be apprciated.<BR /> Thanks!</P> Tue, 29 Sep 2020 14:29:40 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-extract-JSON-syslog-automatically/m-p/352470#M64602 tkwaller 2020-09-29T14:29:40Z https://community.splunk.com/t5/Getting-Data-In/Can-you-extract-JSON-syslog-automatically/m-p/352471#M64603 <P>JSON will not auto-extract with the timestamp/host prefix in your data. You can use a SEDCMD to strip it out in props.conf.</P> <P>e.g.</P> <PRE><CODE>[my_sourcetype] SEDCMD-strip_prefix = s/^[^{]+//g INDEXED_EXTRACTIONS=JSON KV_MODE=none </CODE></PRE> <P>You'll want to add TIME_PREFIX, TIME_FORMAT, etc. as well. </P> Tue, 29 Sep 2020 14:29:45 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-extract-JSON-syslog-automatically/m-p/352471#M64603 masonmorales 2020-09-29T14:29:45Z https://community.splunk.com/t5/Getting-Data-In/Can-you-extract-JSON-syslog-automatically/m-p/352472#M64604 <P>Hello<BR /> Sorry for the delay, was super busy with work.<BR /> I knew it had to be something with the preceding data but wasn't sure. I added to the config and now it looks as such:<BR /> [syslogtest]<BR /> SEDCMD-strip_prefix = s/^[^{]+//g<BR /> INDEXED_EXTRACTIONS=JSON<BR /> KV_MODE=none<BR /> DATETIME_CONFIG = <BR /> TIME_FORMAT = %s.%6N<BR /> TIME_PREFIX = "time":"<BR /> NO_BINARY_CHECK = true<BR /> category = Custom<BR /> description = syslogtest<BR /> disabled = false<BR /> pulldown_type = true</P> <P>I left the default stuff there.</P> <P>Only now parsing doesnt take place:<BR /> 06-19-2017 09:36:04.310 -0500 ERROR JsonLineBreaker - JSON StreamId:5377901818726410745 had parsing error:Unexpected character while looking for value: 'J' - data_source="C:\syslog.log", data_host="L-BDL-10007862", data_sourcetype="syslogtest"</P> <P>Any thoughts?<BR /> Thanks!</P> Tue, 29 Sep 2020 14:31:33 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-extract-JSON-syslog-automatically/m-p/352472#M64604 tkwaller 2020-09-29T14:31:33Z https://community.splunk.com/t5/Getting-Data-In/Can-you-extract-JSON-syslog-automatically/m-p/352473#M64605 <P>So it seems it wouldn't work with:<BR /> INDEXED_EXTRACTIONS=JSON</P> <P>but it DID work with:<BR /> KV_MODE=json</P> <P>Thanks for the help, I appreciate it!</P> Mon, 19 Jun 2017 16:18:39 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-extract-JSON-syslog-automatically/m-p/352473#M64605 tkwaller 2017-06-19T16:18:39Z https://community.splunk.com/t5/Getting-Data-In/Can-you-extract-JSON-syslog-automatically/m-p/352474#M64606 <P>Thank you, just what I needed.... </P> Thu, 28 Sep 2017 21:35:45 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-extract-JSON-syslog-automatically/m-p/352474#M64606 andygerber 2017-09-28T21:35:45Z https://community.splunk.com/t5/Getting-Data-In/Can-you-extract-JSON-syslog-automatically/m-p/352475#M64607 <P>Hi.</P> <P>I'm facing the same issue. </P> <P>I've added the following to my props.conf but still not working.</P> <P>SEDCMD-StripHeader = s/^[^{]+//g<BR /> KV_MODE=json</P> <P>Does the associated TA need to be pushed to indexers as well as search heads?</P> <P>Does there need to be a reference later in props.conf to the SEDCMD-StripHeader line?</P> <P>Thanks!</P> Fri, 23 Feb 2018 21:01:26 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-extract-JSON-syslog-automatically/m-p/352475#M64607 darlas 2018-02-23T21:01:26Z