https://community.splunk.com/t5/Getting-Data-In/How-to-extract-JSON-at-index-time/m-p/365625#M66569 <P>I am trying to extract some json data at index time. I have found the article about using regular expressions to create custom fields but regex is not well suited to extracting json. I understand that spath can take out the json data during a search but in this case it is required that I extract the data into fields at index time. </P> Tue, 20 Mar 2018 16:00:42 GMT adexteracc 2018-03-20T16:00:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-JSON-at-index-time/m-p/365625#M66569 <P>I am trying to extract some json data at index time. I have found the article about using regular expressions to create custom fields but regex is not well suited to extracting json. I understand that spath can take out the json data during a search but in this case it is required that I extract the data into fields at index time. </P> Tue, 20 Mar 2018 16:00:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-JSON-at-index-time/m-p/365625#M66569 adexteracc 2018-03-20T16:00:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-JSON-at-index-time/m-p/365626#M66570 <P>Have you already tried applying INDEXED_EXTRACTIONS=JSON in your props.conf at your universal forwarder level (or wherever the input is configured)?</P> Tue, 20 Mar 2018 17:50:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-JSON-at-index-time/m-p/365626#M66570 hortonew 2018-03-20T17:50:58Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-JSON-at-index-time/m-p/365627#M66571 <P>You can ingest the data using the _json sourcetype - this will enable indexed field extractions. </P> <P>Alternatively, if you don't want to keep the _json sourcetype name, you can set INDEXED_EXTRACTION=JSON in props.conf.</P> Tue, 29 Sep 2020 18:35:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-JSON-at-index-time/m-p/365627#M66571 jluo_splunk 2020-09-29T18:35:07Z