Parsing JSON syslog data - additional fields extraction happening.

seshagirik545 — Wed, 30 Sep 2020 01:14:59 GMT

Hi All,

need help in parsing below JSON message.

{ "MsgDesc": "1229340728.000000:iso.3.6.1.4.1.9.9.96.1.1.1.1.2.567777 = INTEGER: 1 iso.3.6.1.4.1.9.9.96.1.1.1.1.3.345455 = INTEGER: 3 iso.3.6.1.4.1.9.9.96.1.1.1.1.4.345435 = INTEGER: 1 iso.3.6.1.4.1.9.9.96.1.1.1.1.5.111249171 = IpAddress: 192.168.1.100 iso.3.6.1.4.1.9.9.", "MsgType": "SNMPD-3-ERROR", "Severity": 3}

props for this sourcetype are in HF ( Splunk version 7.3.0 😞

pulldown_type = true
category = Structured
KV_MODE = none
AUTO_KV_JSON = false
INDEXED_EXTRACTIONS= json
SHOULD_LINEMERGE = false

The problem is along with the MsgDesc, MsgType & Severity, Splunk extracting iso.3.6.1.4.1.9.9.96.1.1.1.1.2.567777, iso.3.6.1.4.1.9.9.96.1.1.1.1.3.345455 also. from the MsgDesc value. I dont want these extra fields. Is there a way solve this?

Thanks,
Seshu

Re: Parsing JSON syslog data - additional fields extraction happening.

jkat54 — Sun, 07 Jul 2019 16:06:59 GMT

That's because splunk is also auto extracting the Key value Pairs (this=that), most likely because you are in verbose mode while searching. Your KV_MODE=none should fix that but it has to be set on your search heads not the forwarder.

Also INDEXED_EXTRACTIONS=JSON should be all uppercase and it should be on the first forwarder that "sees" the data (UF or HF).

topic Parsing JSON syslog data - additional fields extraction happening. in Getting Data In

Parsing JSON syslog data - additional fields extraction happening.

Re: Parsing JSON syslog data - additional fields extraction happening.