All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I parse a JSON field at index?

rharrigan
Engager
‎08-11-2017 01:31 PM

I have some records coming in from the Amazon Kinesis Modular Input app (https://splunkbase.splunk.com/app/1856/). The payload of which is a JSON object. I've gotten the configuration set up and have data flowing in with associated Kinesis metadata and the payload is in a field called record. Sample raw record:

Fri Aug 11 15:16:48 CDT 2017 name=kinesis_record_received event_id= record={"json_key":"json_value"} sequence_number=564518360546206023682 partition_key=partition-us-east-1:f165e651

I have tried Method 1 from https://answers.splunk.com/answers/117121/extract-json-data-within-the-logs.html

props.conf:

[kinesis://kinesis_analytics]
REPORT-json = report-json,report-json-kv

transforms.conf

[report-json]       
# This will get the json payload from the logs. 
# Put your specific logic if you need. Below is a very basic logic baed on { bracket
REGEX = (?P<record>{.+)    

[report-json-kv]
REGEX = \"(\w+)\":[\s]*\"([^\,\}\"]+)
FORMAT = $1::$2
MV_ADD = true
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎08-13-2017 04:13 PM

Just to confirm your pops.conf/transforms.conf is on the search head ?

Also in the props.conf

<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an
                 event.
3. source::<source>, where <source> is the source, or source-matching
                     pattern, for an event.
4. rule::<rulename>, where <rulename> is a unique name of a source type
                     classification rule.
5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed
                            source type classification rule.
                            These are only considered as a last resort
                            before generating a new source type based on the
                            source seen.

Perhaps you could try using the sourcetype in the props.conf ?

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...