topic Re: json extract field in Getting Data In

json extract field

surekhasplunk — Tue, 18 Aug 2020 03:16:28 GMT

i have one event entry like this indexed using props.conf entry like below.

But this is not coming in json format its indexing only in raw format not sure why. Also because of that the column names ID, Name etc are not extracted automatically.

[{'ID': 123, 'Name': 'hostname', 'SetupComplete': True, 'Plugin': 'someplugin', 'PluginName': 'someplugin', 'DomainName': 'something', 'DomainEmail': '', 'dontknow': '', 'Address': '1.2.3.4', 'BackupIntervalString': 'Manual', 'LastBackupString': 'Never (1 uploaded)', 'LastBackupAttemptString': 'Never', 'NextBackupString': '', 'Protocol': 'scp', 'Location': '', 'BaselineState': 'N/A', 'LastBackupCompliant': False, 'LastBackupCompliantString': 'N/A', 'ComplianceScore': -1, 'RetryInterval': 45, 'NumRetries': 0, 'KeepVersions': 0, 'Owner': 'someone@something.com', 'State': 'Idle', 'Uptime': 'Not monitored', 'BackupStatus': 'OK', 'BackupDU': '100MB', 'Manufacturer': 'dontknow', 'Model': 'dontknow', 'AssetID': '', 'Serial': '', 'Firmware': '', 'ApprovedBackups': 0, 'CurrentApproved': False, 'NumBackups': 1, 'Disabled': 'No', 'DomainDisabled': False, 'ApprovedState': 'good', 'IsPush': False, 'Updated': '0001-01-01T00:00:00Z'},

Can you please help here.

[example_json]
CHARSET = UTF-8
DATETIME_CONFIG = CURRENT
KV_MODE = json
TRUNCATE = 0
SEDCMD-removejunk1 = s/^\[//g
LINE_BREAKER = ([\r\n,]*(?:{[^[{]+\[)?){'ID
SHOULD_LINEMERGE = false
SEDCMD-remove_end = s/]$//g
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true

please tell me if i need to modify the props.conf entry or please help me with the extraction of fields.

Re: json extract field

to4kawa — Tue, 18 Aug 2020 06:43:39 GMT

LINE_BREAKER=(.){'ID
SEDCMD-trim=s/'/"/g s/True/true/g s/False/false/g s/\]//

Splunk can't parse '(single quote).
Also, you should modify to valid JSON.

Re: json extract field

surekhasplunk — Tue, 18 Aug 2020 07:30:43 GMT

Thanks @to4kawa

I tried this and i get only 1 event indexed like json, the 1st event and next all events are like raw events i think because ] is missing at the end ?

Re: json extract field

to4kawa — Tue, 18 Aug 2020 07:35:22 GMT

sorry, I can see only one event. where is the others?

Re: json extract field

surekhasplunk — Tue, 18 Aug 2020 07:51:31 GMT

thanks i got it. i have to manually add ] before ID and then it works. Thanks and i modified to have double quotes instead of single .

Also can you please explain why to substitute True to true and False to false ?

Re: json extract field

to4kawa — Tue, 18 Aug 2020 07:54:11 GMT

https://www.json.org/json-en.html

This is the first time I've heard of it.

"(double quote)
true / false(lower)

`(single qute) and True/False is not valid.