https://community.splunk.com/t5/Splunk-Search/Extract-Nested-JSON/m-p/562007#M195458 <P>Yes. <STRONG>KV_MODE = json</STRONG> is set on the search head.</P> Wed, 04 Aug 2021 04:49:30 GMT kernand0 2021-08-04T04:49:30Z https://community.splunk.com/t5/Splunk-Search/Extract-Nested-JSON/m-p/561905#M195431 <P>I have events coming from an API that all have the same 10 fields.&nbsp; Viewing the RAW event one of the fields (detail) is quote escaped JSON (\").&nbsp; The contents of the field varies and I cannot get consistent parsing via configuration files.&nbsp; &nbsp;The <U>props.conf</U> does already include <STRONG>KV_MODE = json</STRONG>&nbsp;&nbsp;</P><P>If I add <STRONG>| spath input=detail&nbsp;</STRONG>to the SPL it parses perfectly, but I need to do the parsing from the config files so I can build Datamodels.&nbsp; &nbsp;Since KV's vary across events parsing the whole detail field verses regex's on specifc KV's seems to be more efficient.&nbsp; &nbsp;I've had limited success using a regex in <U>transforms.conf</U>.&nbsp; And I think trying to use the&nbsp;<STRONG>| eval details = spath(X,Y)&nbsp;</STRONG>won't work because there are multiple keys and values.&nbsp;</P><P><BR />Some sample events are below.</P><P><FONT face="courier new,courier">{"edgeName": "DVC_NAME", "enterpriseUsername": null, "event": "EDGE_NEW_DEVICE", "category": "EDGE", "id":&nbsp;12345678, "segmentName": null, "severity": "NOTICE", "eventTime": "2021-08-03T13:21:31.000Z", "message": "New or updated client device&nbsp;01:23:45:67:ab:ef, ip 192.168.0.100, segId 0, hostname NT_HOSTNAME, os", "detail": "{\"last_request_time\":0,\"client_mac\":\"01:23:45:67:ab:ef\",\"client_ipv4addr\":\"192.168.0.100\",\"hostname\":\"NT_HOSTNAME\",\"os_type\":0,\"os_class\":0,\"os_class_name\":\"UNKNOWN\",\"os_version\":\"\",\"device_type\":\"\",\"os_description\":\"\",\"dhcp_param_list\":\"1,3,6,15,31,33,43,44,46,47,119,121,249,252\",\"segment_id\":0}"}</FONT></P><P><FONT face="courier new,courier">{"id": 73646231, "severity": "INFO", "eventTime": "2021-08-03T06:36:31.000Z", "segmentName": null, "message": "Edge [DVC_NAME] has re-established communication with the Orchestrator", "category": "EDGE", "event": "EDGE_UP", "enterpriseUsername": null, "detail": "{\"enterpriseAlertConfigurationId\":null,\"enterpriseId\":316,\"edgeId\":8748,\"edgeName\":\"DVC_NAME\",\"state\":\"PENDING\",\"stateSetTime\":\"2021-08-03T06:36:30.867Z\",\"triggerTime\":\"2021-08-03T06:36:30.867Z\",\"remainingNotifications\":1,\"nextNotificationTime\":\"2021-08-03T06:36:30.867Z\",\"lastContact\":\"2021-08-03T06:36:29.000Z\",\"name\":\"EDGE_UP\",\"type\":\"EDGE_UP\",\"firstNotificationSeconds\":0,\"maxNotifications\":1,\"notificationIntervalSeconds\":120,\"resetIntervalSeconds\":3600,\"timezone\":\"America/Phoenix\",\"locale\":null}", "edgeName": "DVC_NAME"}</FONT></P><P><FONT face="courier new,courier">{"edgeName": "DVC_NAME", "id": 73579676, "eventTime": "2021-08-02T23:24:58.000Z", "event": "MGD_CONF_APPLIED", "severity": "INFO", "segmentName": null, "enterpriseUsername": null, "detail": "{\"heartBeatSeconds\": 30, \"managementPlaneProxy\": {\"drHeartbeatSecs\": 60, \"primary\": \"host-1.domain.net\", \"secondary\": \"host-2.domain.net\"}, \"timeSliceSeconds\": 300, \"statsUploadSeconds\": 300}", "message": "Applied new configuration for managementPlane version 1627946184323", "category": "EDGE"}</FONT></P> Tue, 03 Aug 2021 14:47:09 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Nested-JSON/m-p/561905#M195431 kernand0 2021-08-03T14:47:09Z https://community.splunk.com/t5/Splunk-Search/Extract-Nested-JSON/m-p/561988#M195453 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6033">@kernand0</a>&nbsp;</P><P>that's good when its working with spath, where did you set KV_MODE = json ?&nbsp; Props having KV_MODE shall be deployed to Search head.</P> Wed, 04 Aug 2021 01:17:18 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Nested-JSON/m-p/561988#M195453 venkatasri 2021-08-04T01:17:18Z https://community.splunk.com/t5/Splunk-Search/Extract-Nested-JSON/m-p/562007#M195458 <P>Yes. <STRONG>KV_MODE = json</STRONG> is set on the search head.</P> Wed, 04 Aug 2021 04:49:30 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Nested-JSON/m-p/562007#M195458 kernand0 2021-08-04T04:49:30Z https://community.splunk.com/t5/Splunk-Search/Extract-Nested-JSON/m-p/562018#M195462 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6033">@kernand0</a>&nbsp; Can you run a btool and check what props have been considered&nbsp; on SH?</P><LI-CODE lang="markup">./splunk btool props list --debug | grep &lt;your_sourcetype_here&gt;</LI-CODE><P>&nbsp;</P> Wed, 04 Aug 2021 05:35:16 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Nested-JSON/m-p/562018#M195462 venkatasri 2021-08-04T05:35:16Z https://community.splunk.com/t5/Splunk-Search/Extract-Nested-JSON/m-p/562256#M195557 <P>The host is an AIO Splunk instance but here is the output of btool for props.conf:<BR /><BR /></P><LI-SPOILER><FONT face="courier new,courier">[velocloud:api]</FONT><BR /><FONT face="courier new,courier">ADD_EXTRA_TIME_FIELDS = True</FONT><BR /><FONT face="courier new,courier">ANNOTATE_PUNCT = True</FONT><BR /><FONT face="courier new,courier">AUTO_KV_JSON = true</FONT><BR /><FONT face="courier new,courier">BREAK_ONLY_BEFORE =</FONT><BR /><FONT face="courier new,courier">BREAK_ONLY_BEFORE_DATE = True</FONT><BR /><FONT face="courier new,courier">CHARSET = UTF-8</FONT><BR /><FONT face="courier new,courier">DATETIME_CONFIG = /etc/datetime.xml</FONT><BR /><FONT face="courier new,courier">DEPTH_LIMIT = 1000</FONT><BR /><FONT face="courier new,courier">EVAL action = </FONT><BR /><FONT face="courier new,courier">HEADER_MODE =</FONT><BR /><FONT face="courier new,courier">KV_MODE = JSON</FONT><BR /><FONT face="courier new,courier">LEARN_MODEL = true</FONT><BR /><FONT face="courier new,courier">LEARN_SOURCETYPE = true</FONT><BR /><FONT face="courier new,courier">LINE_BREAKER_LOOKBEHIND = 100</FONT><BR /><FONT face="courier new,courier">MATCH_LIMIT = 100000</FONT><BR /><FONT face="courier new,courier">MAX_DAYS_AGO = 2000</FONT><BR /><FONT face="courier new,courier">MAX_DAYS_HENCE = 2</FONT><BR /><FONT face="courier new,courier">MAX_DIFF_SECS_AGO = 3600</FONT><BR /><FONT face="courier new,courier">MAX_DIFF_SECS_HENCE = 604800</FONT><BR /><FONT face="courier new,courier">MAX_EVENTS = 256</FONT><BR /><FONT face="courier new,courier">MAX_TIMESTAMP_LOOKAHEAD = 128</FONT><BR /><FONT face="courier new,courier">MUST_BREAK_AFTER =</FONT><BR /><FONT face="courier new,courier">MUST_NOT_BREAK_AFTER =</FONT><BR /><FONT face="courier new,courier">MUST_NOT_BREAK_BEFORE =</FONT><BR /><FONT face="courier new,courier">SEGMENTATION = indexing</FONT><BR /><FONT face="courier new,courier">SEGMENTATION-all = full</FONT><BR /><FONT face="courier new,courier">SEGMENTATION-inner = inner</FONT><BR /><FONT face="courier new,courier">SEGMENTATION-outer = outer</FONT><BR /><FONT face="courier new,courier">SEGMENTATION-raw = none</FONT><BR /><FONT face="courier new,courier">SEGMENTATION-standard = standard</FONT><BR /><FONT face="courier new,courier">SHOULD_LINEMERGE = True</FONT><BR /><FONT face="courier new,courier">TIME_FORMAT = %Y-%m-%dT%H:%M:%S%Z</FONT><BR /><FONT face="courier new,courier">TIME_PREFIX = \"eventTime\"\s*\:\s*\"</FONT><BR /><FONT face="courier new,courier">TRANSFORMS =</FONT><BR /><FONT face="courier new,courier">TRANSFORMS-core = velocloud_host</FONT><BR /><FONT face="courier new,courier">TRUNCATE = 10000</FONT><BR /><FONT face="courier new,courier">TZ = UTC</FONT><BR /><FONT face="courier new,courier">detect_trailing_nulls = false</FONT><BR /><FONT face="courier new,courier">maxDist = 100</FONT><BR /><FONT face="courier new,courier">priority =</FONT><BR /><FONT face="courier new,courier">sourcetype =</FONT></LI-SPOILER> Thu, 05 Aug 2021 13:26:38 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Nested-JSON/m-p/562256#M195557 kernand0 2021-08-05T13:26:38Z