topic Re: How to view whole JSON logs for field extraction in Splunk since it only shows 1/3rd of it currently? in Getting Data In

How to view whole JSON logs for field extraction in Splunk since it only shows 1/3rd of it currently?

sir_real — Fri, 02 Feb 2018 20:45:12 GMT

I’ve got some JSON logs pulling into Splunk and I’m trying to do the field extraction on one of the logs I’ve gathered. However, whenever it goes to the "Extract Fields" screen it only shows about 1/3 (top part) of the log. All of the pertinent data is not visible. Is there a setting or process to make the whole log viewable for field extraction?

Thanks in advance!
s_R

Re: How to view whole JSON logs for field extraction in Splunk since it only shows 1/3rd of it currently?

micahkemp — Sat, 03 Feb 2018 04:24:04 GMT

How many bytes long is your JSON event? I believe there is a default limit involved.

Re: How to view whole JSON logs for field extraction in Splunk since it only shows 1/3rd of it currently?

Richfez — Sat, 03 Feb 2018 13:59:17 GMT

So you have JSON files being ingested, but not all fields/portions are being extracted?

Do you need an extraction that's not part of the KV extraction Splunk does when the sourcetype is set to JSON (e.g. extracting from an existing field or slicing and dicing a field into "subfields" that aren't JSON defined?)

Or are there NO fields extracted from this JSON file and you need to extract some?

In the former case, if you were to paste in an example of the field and the sub-value you want out of it I'm sure we can help you with a regex based extraction to handle that.

If the latter case, why not set it to JSON and let Splunk extract it?