topic Re: extract json files fields in Splunk Search

extract json files fields

khanlarloo — Tue, 19 May 2020 08:00:58 GMT

I have json logs that I want to extract.I did All items related to field extraction in props.conf file.
my log
{"export_time":"06:45:53","flows":[{"applicationNamePath":"XXX","applicationName":"tcp","flowStartSeconds":"1589957129","sourceTransportPort":"XXX","sourceIPv4Address":"190.x.x.x","destinationIPv4Address":"X.x.x.x","flowId":"64414","flowDirection":"0","tunnelTechnology":"no","destinationTransportPort":"443","flowExpired":"1","detectionCompleted":"0","tcpControlBits":"14","flowDurationMilliseconds":"9000","octetTotalCount":"152","packetTotalCount":"3","applicationCategoryName":"Network Service","p2pTechnology":"no","attributes":[]}],"last":1}

my props.conf:
indexed_extraction = json

Re: extract json files fields

vnravikumar — Tue, 19 May 2020 09:09:18 GMT

What is the issue?

Re: extract json files fields

khanlarloo — Tue, 19 May 2020 10:38:59 GMT

Hi,splunk Cannot extract fields.what should i do to extract this json fields?

Re: extract json files fields

Sfry1981 — Tue, 19 May 2020 12:07:46 GMT

when you say cant extract, can you explain it in more detail. You JSON is valid so there shouldnt be any issues

Re: extract json files fields

codebuilder — Wed, 20 May 2020 00:12:57 GMT

The example you provided appears to be valid, properly formatted json (checked via https://jsonlint.com).

Did you cycle Splunk after updating props.conf? It's required if/when you modify that config. Also, any data that was ingested prior to any modification of that config will not be displayed correctly, only new data.

Re: extract json files fields

khanlarloo — Wed, 20 May 2020 03:06:16 GMT

after updating i restart my splunk. what do you mean by cycle?

Re: extract json files fields

khanlarloo — Wed, 20 May 2020 03:10:02 GMT

I want to make my search based on the fields extracted from my json log.But none of my fields were extracted and I have to extract my desired fields by writing Regex.
i separate my logs with defining different indexes in transforms.conf and props.conf

Re: extract json files fields

codebuilder — Wed, 20 May 2020 03:19:31 GMT

Restart or cycle, different terms to the same end. You just need to restart the Splunk daemon/service.

You can also try adding the following to your search after modifying props.conf:
| extract reload=true

Re: extract json files fields

maityayan1996 — Wed, 20 May 2020 04:52:49 GMT

| spath input=data
Use this one it will help you to extract the fields from the json format of logs.
You can also visit this blog :
https://splunkonbigdata.com/2018/09/05/how-to-extract-fields-from-the-json-format-data-in-splunk/

Re: extract json files fields

khanlarloo — Wed, 27 May 2020 06:54:40 GMT

it doesn't work.