https://community.splunk.com/t5/Splunk-Search/How-to-index-data-from-zigbee2mqtt/m-p/658342#M227408 <P>Those props.conf settings should be on a heavy forwarder and/or an indexer.&nbsp; They do no good on a universal forwarder.</P><P>If the event is not pure and correct JSON then the INDEXED_EXTRACTIONS=JSON and KV_MODE=_json settings won't work.</P> Thu, 21 Sep 2023 19:26:20 GMT richgalloway 2023-09-21T19:26:20Z https://community.splunk.com/t5/Splunk-Search/How-to-index-data-from-zigbee2mqtt/m-p/658176#M227356 <P>can't figure out how to indexing my data from zigbee2mgtt.&nbsp; The logs are exported from Home assistance via syslog, as Json.&nbsp;</P> <P>I have tried various settings in props on the forwarder.<BR /><SPAN><BR />Current setting:</SPAN></P> <P><EM>[zigbee2mqtt]</EM><BR /><EM>DATETIME_CONFIG =</EM><BR /><EM>INDEXED_EXTRACTIONS = JSON</EM><BR /><EM>category = structured</EM><BR /><EM>NO_BINARY_CHECK = true</EM><BR /><EM>TIMESTAMP_FIELDS = timestamp</EM><BR /><EM>LINE_BREAKER = ([\r\n]+)</EM><BR /><EM>disabled = false</EM><BR /><EM>pulldown_type = true</EM></P> <P>And on the search:</P> <P>Current:<BR /><EM>[zigbee2mqtt]</EM><BR /><EM>KV_MODE = JSON</EM></P> <P>And this is how the data appears in the log.&nbsp; for me it looks like some kind mix, not just JSON data.</P> <DIV><EM>Sep 20 19:13:19 linsrv 1 2023-09-20T17:13:19.941+02:00 localhost Zigbee2MQTT - - - MQTT publish: topic 'zigbee2mqtt/P001', payload '{"auto_off":null,"button_lock":null,"consumer_connected":true,"consumption":7.82,"current":0,"device_temperature":25,"energy":7.82,"led_disabled_night":null,"linkquality":255,"overload_protection":null,"power":0,"power_outage_count":3,"power_outage_memory":null,"state":"OFF","update":{"installed_version":41,"latest_version":32,"state":"idle"},"update_available":false,"voltage":234}'/n</EM></DIV> <DIV><EM>host = linsrv index = zigbee source = /disk1/syslog/in/linsrv/2023-09-20/messages.log sourcetype = zigbee2mqtt</EM></DIV> <DIV>&nbsp;</DIV> <DIV><EM>Sep 20 19:08:13 linsrv06.hemdata.hemdata.se 1 2023-09-20T17:08:13.988+02:00 localhost Zigbee2MQTT - - - MQTT publish: topic 'zigbee2mqtt/P002', payload '{"auto_off":null,"button_lock":null,"consumer_connected":true,"consumption":2.58,"current":0,"device_temperature":23,"energy":2.58,"led_disabled_night":null,"linkquality":255,"overload_protection":null,"power":0,"power_outage_count":0,"power_outage_memory":null,"state":"OFF","update":{"installed_version":41,"latest_version":32,"state":"idle"},"update_available":false,"voltage":229}'/n</EM></DIV> <DIV><EM>host = linsrv index = zigbee source = /disk1/syslog/in/linsrv/2023-09-20/messages.log sourcetype = zigbee2mqtt</EM></DIV> <DIV>&nbsp;</DIV> <DIV><EM>Sep 20 19:08:13 linsrv 1 2023-09-20T17:08:13.968+02:00 localhost Zigbee2MQTT - - - MQTT publish: topic 'zigbee2mqtt/P001', payload '{"auto_off":null,"button_lock":null,"consumer_connected":true,"consumption":7.82,"current":0,"device_temperature":25,"energy":7.82,"led_disabled_night":null,"linkquality":255,"overload_protection":null,"power":0,"power_outage_count":3,"power_outage_memory":null,"state":"OFF","update":{"installed_version":41,"latest_version":32,"state":"idle"},"update_available":false,"voltage":234}'/n</EM></DIV> <DIV><EM>host = linsrv index = zigbee source = /disk1/syslog/in/linsrv/2023-09-20/messages.logsourcetype = zigbee2mqtt</EM></DIV> <DIV>&nbsp;</DIV> <DIV><EM>Sep 20 19:08:06 linsrv 1 2023-09-20T17:08:06.199+02:00 localhost Zigbee2MQTT - - - MQTT publish: topic 'zigbee2mqtt/P002', payload '{"auto_off":null,"button_lock":null,"consumer_connected":true,"consumption":2.58,"current":0,"device_temperature":23,"energy":2.58,"led_disabled_night":null,"linkquality":255,"overload_protection":null,"power":0,"power_outage_count":0,"power_outage_memory":null,"state":"OFF","update":{"installed_version":41,"latest_version":32,"state":"idle"},"update_available":false,"voltage":229}'/n</EM></DIV> <DIV><EM>host = linsrv index = zigbee source = /disk1/syslog/in/linsrv/2023-09-20/messages.log sourcetype = zigbee2mqtt</EM></DIV> <P>&nbsp;</P> Wed, 20 Sep 2023 20:04:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-index-data-from-zigbee2mqtt/m-p/658176#M227356 swejoos 2023-09-20T20:04:11Z https://community.splunk.com/t5/Splunk-Search/How-to-index-data-from-zigbee2mqtt/m-p/658342#M227408 <P>Those props.conf settings should be on a heavy forwarder and/or an indexer.&nbsp; They do no good on a universal forwarder.</P><P>If the event is not pure and correct JSON then the INDEXED_EXTRACTIONS=JSON and KV_MODE=_json settings won't work.</P> Thu, 21 Sep 2023 19:26:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-index-data-from-zigbee2mqtt/m-p/658342#M227408 richgalloway 2023-09-21T19:26:20Z https://community.splunk.com/t5/Splunk-Search/How-to-index-data-from-zigbee2mqtt/m-p/658522#M227466 <P>Ok, Thanks.</P><P>So I should move all config to the search instead.</P><P>I have now tried that and the result seems to be the same, still index.&nbsp;</P><P>&nbsp;</P> Sun, 24 Sep 2023 18:52:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-index-data-from-zigbee2mqtt/m-p/658522#M227466 swejoos 2023-09-24T18:52:58Z https://community.splunk.com/t5/Splunk-Search/How-to-index-data-from-zigbee2mqtt/m-p/658534#M227467 <P>As stated in my original reply, the settings go on indexers and/or heavy forwarders.&nbsp; You can put them on search heads, but they won't do any good.&nbsp; Unless, that is, you have a standalone system (combined indexer and search head).</P> Sun, 24 Sep 2023 23:11:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-index-data-from-zigbee2mqtt/m-p/658534#M227467 richgalloway 2023-09-24T23:11:40Z https://community.splunk.com/t5/Splunk-Search/How-to-index-data-from-zigbee2mqtt/m-p/658961#M227579 <P>ok. sorry,</P><P>But yes I have a combined index/search head, and a separate universal forwarder.&nbsp;&nbsp;</P> Thu, 28 Sep 2023 13:08:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-index-data-from-zigbee2mqtt/m-p/658961#M227579 swejoos 2023-09-28T13:08:58Z