I have some records coming in from the Amazon Kinesis Modular Input app (https://splunkbase.splunk.com/app/1856/). The payload of which is a JSON object. I've gotten the configuration set up and have data flowing in with associated Kinesis metadata and the payload is in a field called record. Sample raw record:
Fri Aug 11 15:16:48 CDT 2017 name=kinesis_record_received event_id= record={"json_key":"json_value"} sequence_number=564518360546206023682 partition_key=partition-us-east-1:f165e651
I have tried Method 1 from https://answers.splunk.com/answers/117121/extract-json-data-within-the-logs.html
props.conf:
[kinesis://kinesis_analytics]
REPORT-json = report-json,report-json-kv
transforms.conf
[report-json]
# This will get the json payload from the logs.
# Put your specific logic if you need. Below is a very basic logic baed on { bracket
REGEX = (?P<record>{.+)
[report-json-kv]
REGEX = \"(\w+)\":[\s]*\"([^\,\}\"]+)
FORMAT = $1::$2
MV_ADD = true
Just to confirm your pops.conf/transforms.conf is on the search head ?
Also in the props.conf
<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an
event.
3. source::<source>, where <source> is the source, or source-matching
pattern, for an event.
4. rule::<rulename>, where <rulename> is a unique name of a source type
classification rule.
5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed
source type classification rule.
These are only considered as a last resort
before generating a new source type based on the
source seen.
Perhaps you could try using the sourcetype in the props.conf ?