https://community.splunk.com/t5/Getting-Data-In/Collect-command-to-index-in-JSON-format/m-p/389751#M69750 <P><A href="https://github.com/doksu/TA-jsontools/wiki">https://github.com/doksu/TA-jsontools/wiki</A></P> Thu, 23 May 2019 07:35:44 GMT kamlesh_vaghela 2019-05-23T07:35:44Z https://community.splunk.com/t5/Getting-Data-In/Collect-command-to-index-in-JSON-format/m-p/389748#M69747 <P>Hello!</P> <P>I'm trying to generate some summarized data by using the collect command in my SPL queries.</P> <P>The event format by default is</P> <PRE><CODE>05/20/2019 07:15:00 +0200, info_min_time=1.000, info_max_time=1558557310.000, info_search_time=1558557310.410, field1=value1 field2=value2 </CODE></PRE> <P>Some of this fields, are actually JSON objects, like:</P> <PRE><CODE>05/20/2019 07:15:00 +0200, info_min_time=1.000, info_max_time=1558557310.000, info_search_time=1558557310.410, field1=value1 field2=value2 field3="{"subfield1":"subvalue1", "subfield2":"subvalue2",...}" </CODE></PRE> <P>So, to avois a mixture of formats in my collected event, I would like to index the results, using the collect command, BUT in JSON format for the whole event, something like:</P> <PRE><CODE>{"time":"05/20/2019 07:15:00 +0200", "info_min_time"=1.000, "info_max_time":1558557310.000, "info_search_time":1558557310.410, results: {"field1":"value1" "field2":"value2", field3="{"subfield1":"subvalue1", "subfield2":"subvalue2",...}"...}} </CODE></PRE> <P>Is such thing feasible? Some props tweaking?</P> <P>Thank you in advance!</P> Thu, 23 May 2019 06:31:43 GMT https://community.splunk.com/t5/Getting-Data-In/Collect-command-to-index-in-JSON-format/m-p/389748#M69747 alvaromari83 2019-05-23T06:31:43Z https://community.splunk.com/t5/Getting-Data-In/Collect-command-to-index-in-JSON-format/m-p/389749#M69748 <P>You can look into it from two perspective<BR /> 1. Is the source data the most important thing in your organisation?<BR /> 2. If the data format is important</P> <P>In many organisation (1) is more important. This is to preserve the original data. Splunk doesn't have any issue in extracting data even if the JSON format is mixed. You index "original" data, but just mention the json part to extract automatically</P> <P>Please see this thread on how to index json mixed format. <A href="https://answers.splunk.com/answers/117121/extract-json-data-within-the-logs-json-mixed-with.html">https://answers.splunk.com/answers/117121/extract-json-data-within-the-logs-json-mixed-with.html</A></P> <P>You could even add a stanza just to extract pure JSON if need be at search time. This way you preserve the original data as well as you get key-value at search-time</P> Thu, 23 May 2019 07:25:55 GMT https://community.splunk.com/t5/Getting-Data-In/Collect-command-to-index-in-JSON-format/m-p/389749#M69748 koshyk 2019-05-23T07:25:55Z https://community.splunk.com/t5/Getting-Data-In/Collect-command-to-index-in-JSON-format/m-p/389750#M69749 <P>@alvaromari83 </P> <P>Can you please try <CODE>| mkjson</CODE> command from <CODE>JSON Tools</CODE> Splunk App ?</P> <P><A href="https://splunkbase.splunk.com/app/3540/#/overview">https://splunkbase.splunk.com/app/3540/#/overview</A></P> Thu, 23 May 2019 07:35:22 GMT https://community.splunk.com/t5/Getting-Data-In/Collect-command-to-index-in-JSON-format/m-p/389750#M69749 kamlesh_vaghela 2019-05-23T07:35:22Z https://community.splunk.com/t5/Getting-Data-In/Collect-command-to-index-in-JSON-format/m-p/389751#M69750 <P><A href="https://github.com/doksu/TA-jsontools/wiki">https://github.com/doksu/TA-jsontools/wiki</A></P> Thu, 23 May 2019 07:35:44 GMT https://community.splunk.com/t5/Getting-Data-In/Collect-command-to-index-in-JSON-format/m-p/389751#M69750 kamlesh_vaghela 2019-05-23T07:35:44Z