All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I parse a JSON field at index?

rharrigan
Engager
‎08-11-2017 01:31 PM

I have some records coming in from the Amazon Kinesis Modular Input app (https://splunkbase.splunk.com/app/1856/). The payload of which is a JSON object. I've gotten the configuration set up and have data flowing in with associated Kinesis metadata and the payload is in a field called record. Sample raw record:

Fri Aug 11 15:16:48 CDT 2017 name=kinesis_record_received event_id= record={"json_key":"json_value"} sequence_number=564518360546206023682 partition_key=partition-us-east-1:f165e651

I have tried Method 1 from https://answers.splunk.com/answers/117121/extract-json-data-within-the-logs.html

props.conf:

[kinesis://kinesis_analytics]
REPORT-json = report-json,report-json-kv

transforms.conf

[report-json]       
# This will get the json payload from the logs. 
# Put your specific logic if you need. Below is a very basic logic baed on { bracket
REGEX = (?P<record>{.+)    

[report-json-kv]
REGEX = \"(\w+)\":[\s]*\"([^\,\}\"]+)
FORMAT = $1::$2
MV_ADD = true
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎08-13-2017 04:13 PM

Just to confirm your pops.conf/transforms.conf is on the search head ?

Also in the props.conf

<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an
                 event.
3. source::<source>, where <source> is the source, or source-matching
                     pattern, for an event.
4. rule::<rulename>, where <rulename> is a unique name of a source type
                     classification rule.
5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed
                            source type classification rule.
                            These are only considered as a last resort
                            before generating a new source type based on the
                            source seen.

Perhaps you could try using the sourcetype in the props.conf ?

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...