topic Onboarding JSON extract in Knowledge Management https://community.splunk.com/t5/Knowledge-Management/Onboarding-JSON-extract/m-p/399814#M8043 <P>Hi,</P> <P>I am currently onboarding some data from a different instance of Splunk using a REST API call ... The data produced is JSON and it includes, sourcetype, source, host, _time and _raw.</P> <P>Is there any way I can match the details from the JSON extract to the corresponding fields in my local instance (i.e., source, sourcetype and host)?</P> <P>How can I also get Splunk to automatically extract the results._raw field? Do I need to create field extraction for all fields?</P> <P>the event is currently being onboarded like this:</P> <P>7/18/19<BR /> 4:15:00.041 AM<BR /><BR /> { [-] <BR /> offset: 7<BR /><BR /> preview: false<BR /><BR /> result: { [-] <BR /> _raw: 2019-07-18 02:15:00.041, LONG_RUN_TX="0"<BR /><BR /> _serial: 3<BR /><BR /> _si: [ [+] <BR /> ]<BR /><BR /> _sourcetype: sql_x<BR /><BR /> _subsecond: .041<BR /><BR /> _time: 2019-07-18 02:15:00.041 GMT<BR /><BR /> host: SQL01<BR /> source: sqlx_extract_log<BR /><BR /> sourcetype: sqlx_extract<BR /><BR /> }<BR /><BR /> }</P> <P>Thank you.</P> Wed, 30 Sep 2020 01:24:27 GMT RobertEttinger8 2020-09-30T01:24:27Z Onboarding JSON extract https://community.splunk.com/t5/Knowledge-Management/Onboarding-JSON-extract/m-p/399814#M8043 <P>Hi,</P> <P>I am currently onboarding some data from a different instance of Splunk using a REST API call ... The data produced is JSON and it includes, sourcetype, source, host, _time and _raw.</P> <P>Is there any way I can match the details from the JSON extract to the corresponding fields in my local instance (i.e., source, sourcetype and host)?</P> <P>How can I also get Splunk to automatically extract the results._raw field? Do I need to create field extraction for all fields?</P> <P>the event is currently being onboarded like this:</P> <P>7/18/19<BR /> 4:15:00.041 AM<BR /><BR /> { [-] <BR /> offset: 7<BR /><BR /> preview: false<BR /><BR /> result: { [-] <BR /> _raw: 2019-07-18 02:15:00.041, LONG_RUN_TX="0"<BR /><BR /> _serial: 3<BR /><BR /> _si: [ [+] <BR /> ]<BR /><BR /> _sourcetype: sql_x<BR /><BR /> _subsecond: .041<BR /><BR /> _time: 2019-07-18 02:15:00.041 GMT<BR /><BR /> host: SQL01<BR /> source: sqlx_extract_log<BR /><BR /> sourcetype: sqlx_extract<BR /><BR /> }<BR /><BR /> }</P> <P>Thank you.</P> Wed, 30 Sep 2020 01:24:27 GMT https://community.splunk.com/t5/Knowledge-Management/Onboarding-JSON-extract/m-p/399814#M8043 RobertEttinger8 2020-09-30T01:24:27Z