topic Re: Can Splunk read a file in JSON format? in Getting Data In

Can Splunk read a file in JSON format?

pfabrizi — Thu, 28 Jun 2018 20:40:12 GMT

We are trying to pull in slack data using function1 which is not work as we are using the new api. We had a call with slack and they suggested to create a custom app. In the interim what we would like to is create a script that fetches the slack events and writes to a file and then use a file monitor to retrieve the events.
Slack returns the data in json, so how would I setup the file monitor to read json? Or would I just format the data in the script that retrieves slack?

Thanks!

Re: Can Splunk read a file in JSON format?

amiftah — Thu, 28 Jun 2018 20:49:30 GMT

Yes you can.
There is a predefined sourcetype for json called _json

https://docs.splunk.com/Documentation/Splunk/7.1.1/Data/Listofpretrainedsourcetypes

Re: Can Splunk read a file in JSON format?

pfabrizi — Fri, 29 Jun 2018 00:40:17 GMT

Hi Amiftah,
So I would just add this to my inputs.conf?

source=_json
sourcetype=box

thanks!

Re: Can Splunk read a file in JSON format?

amiftah — Fri, 29 Jun 2018 00:44:39 GMT

@pfabrizi:

your inputs.conf should look like this:

[monitor:////test/sample.json]
disabled = false
index = yourIndex
sourcetype = _json

You can read more about monitoring here: http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

Re: Can Splunk read a file in JSON format?

pfabrizi — Fri, 29 Jun 2018 10:06:33 GMT

Thank You!