https://community.splunk.com/t5/Getting-Data-In/indexed-extractions-json-not-working-for-FIFO-file/m-p/430873#M75399 <P>For me it is working fine with indexing data directly not with fifo input (On Splunk 7.2.3) . Can you please let us know which version of splunk are you running?</P> <P>I used only below config in props.conf while on boarding the data on my lab.</P> <P>props.conf</P> <PRE><CODE>[mysourcetype] INDEXED_EXTRACTIONS = JSON </CODE></PRE> Thu, 14 Mar 2019 13:51:39 GMT harsmarvania57 2019-03-14T13:51:39Z https://community.splunk.com/t5/Getting-Data-In/indexed-extractions-json-not-working-for-FIFO-file/m-p/430870#M75396 <P>Hi everyone,</P> <P>In my inputs.conf I am monitoring a fifo file receiving json events.</P> <P>Inputs.conf :<BR /> [fifo:///tmp/a.fifo]<BR /> disabled=0<BR /> index=main<BR /> sourcetype=json_test</P> <P>Props.conf :<BR /> [json_test]<BR /> INDEXED_EXTRACTIONS=JSON<BR /> KV_MODE=none<BR /> AUTO_KV_JSON=false<BR /> SHOULD_LINEMERGE=false<BR /> TIME_FORMAT=%s.%6N</P> <P>I see that all fields are parsed correctly, yet I cannot tstats by none metadata fields.<BR /> I then tried to add TRANSFORMS-js=test_js to props.conf and have the following stanza in transforms.conf :</P> <P>[test_js]<BR /> REGEX=\"([a-zA-Z0-9_.]+)\":\"([^"]+)\"<BR /> FORMAT=$1::$2<BR /> REPEAT_MATCH=true<BR /> WRITE_META=true</P> <P>In this case, I am able to tstats on some json fields. However, this regex does not cover all cases of keys and values of a json line and it seems very redundant to reparse all json fields after INDEXED_EXTRACTIONS=json.</P> <P>Any ideas on how to solve this issue ?</P> Tue, 29 Sep 2020 23:37:52 GMT https://community.splunk.com/t5/Getting-Data-In/indexed-extractions-json-not-working-for-FIFO-file/m-p/430870#M75396 moneybox 2020-09-29T23:37:52Z https://community.splunk.com/t5/Getting-Data-In/indexed-extractions-json-not-working-for-FIFO-file/m-p/430871#M75397 <P>Hi,</P> <P>Can you please provide some sample data (Please mask sensitive data) ?</P> Wed, 13 Mar 2019 19:24:08 GMT https://community.splunk.com/t5/Getting-Data-In/indexed-extractions-json-not-working-for-FIFO-file/m-p/430871#M75397 harsmarvania57 2019-03-13T19:24:08Z https://community.splunk.com/t5/Getting-Data-In/indexed-extractions-json-not-working-for-FIFO-file/m-p/430872#M75398 <P>Hi,</P> <P>Sure, here is a sample line that will go into the fifo file:<BR /> {"value": "New", "onclick": 123}</P> <P>"value" and "onclick" will not be available in a tstats command such as :</P> <P>| tstats count where index=main by value</P> Thu, 14 Mar 2019 13:34:43 GMT https://community.splunk.com/t5/Getting-Data-In/indexed-extractions-json-not-working-for-FIFO-file/m-p/430872#M75398 moneybox 2019-03-14T13:34:43Z https://community.splunk.com/t5/Getting-Data-In/indexed-extractions-json-not-working-for-FIFO-file/m-p/430873#M75399 <P>For me it is working fine with indexing data directly not with fifo input (On Splunk 7.2.3) . Can you please let us know which version of splunk are you running?</P> <P>I used only below config in props.conf while on boarding the data on my lab.</P> <P>props.conf</P> <PRE><CODE>[mysourcetype] INDEXED_EXTRACTIONS = JSON </CODE></PRE> Thu, 14 Mar 2019 13:51:39 GMT https://community.splunk.com/t5/Getting-Data-In/indexed-extractions-json-not-working-for-FIFO-file/m-p/430873#M75399 harsmarvania57 2019-03-14T13:51:39Z https://community.splunk.com/t5/Getting-Data-In/indexed-extractions-json-not-working-for-FIFO-file/m-p/430874#M75400 <P>Hi,</P> <P>I am using Splunk 7.2.4</P> <P>Yes the above configuration works for monitor or batch.<BR /> It does not work with fifo files though</P> Thu, 14 Mar 2019 14:12:12 GMT https://community.splunk.com/t5/Getting-Data-In/indexed-extractions-json-not-working-for-FIFO-file/m-p/430874#M75400 moneybox 2019-03-14T14:12:12Z https://community.splunk.com/t5/Getting-Data-In/indexed-extractions-json-not-working-for-FIFO-file/m-p/430875#M75401 <P>Yes, reproduced this issue with <CODE>[fifo://...]</CODE> stanza, it is not honoring <CODE>INDEXED_EXTRACTIONS = JSON</CODE> and due to that <CODE>value</CODE> and <CODE>onclick</CODE> are not indexing as index fields and due to that you can't use <CODE>tstats</CODE> (Because tstats read data from <CODE>.tsidx</CODE> files which contains only indexed fields name and data).</P> Fri, 15 Mar 2019 10:34:54 GMT https://community.splunk.com/t5/Getting-Data-In/indexed-extractions-json-not-working-for-FIFO-file/m-p/430875#M75401 harsmarvania57 2019-03-15T10:34:54Z https://community.splunk.com/t5/Getting-Data-In/indexed-extractions-json-not-working-for-FIFO-file/m-p/430876#M75402 <P>So is it possible to report a bug for splunk ?<BR /> Any idea how to achieve that ?<BR /> thanks</P> Sun, 17 Mar 2019 09:21:39 GMT https://community.splunk.com/t5/Getting-Data-In/indexed-extractions-json-not-working-for-FIFO-file/m-p/430876#M75402 moneybox 2019-03-17T09:21:39Z https://community.splunk.com/t5/Getting-Data-In/indexed-extractions-json-not-working-for-FIFO-file/m-p/430877#M75403 <P>If you have active splunk support entitlement then you can raise case with splunk support and if they will say that this is expected behavior then I'll suggest to provide docs feedback on props.conf docs page to mention this as fifo input stanza doesn't support <CODE>INDEXED_EXTRACTIONS</CODE>.</P> Sun, 17 Mar 2019 10:40:05 GMT https://community.splunk.com/t5/Getting-Data-In/indexed-extractions-json-not-working-for-FIFO-file/m-p/430877#M75403 harsmarvania57 2019-03-17T10:40:05Z https://community.splunk.com/t5/Getting-Data-In/indexed-extractions-json-not-working-for-FIFO-file/m-p/430878#M75404 <P>I am afraid I use the free license for this project.<BR /> @harsmarvania57 is it possible for you to open a case ?</P> <P>Thnk you very much</P> Tue, 19 Mar 2019 15:25:50 GMT https://community.splunk.com/t5/Getting-Data-In/indexed-extractions-json-not-working-for-FIFO-file/m-p/430878#M75404 moneybox 2019-03-19T15:25:50Z