I am using the Kafka Messaging Modular Input (https://splunkbase.splunk.com/app/1817/ ) to get data in Splunk. The data coming over Kafka is JSON.
When it gets to splunk, the events look like this:
Tue Aug 25 16:07:37 UTC 2015 name="kafka_msg_received" event_id="" msg_body="{"type":"server.statistics","current-time":1440518856.847175,"server-start-time":1440518271.104432,"node-id":"bd308a2c-c291-5868-bd97-0b06c27b536b","content":{"reset-time":1440518271.367789}}"
... | spath input=msg_body
does not generate any fields from the JSON.
How can I use spath
to parse the JSON in these events?
Might be easier for you to plugin a custom message handler to just dump the JSON. There is one that ships by default with the App.
Works like a charm. Thanks!
com.splunk.modinput.kafka.BodyOnlyMessageHandler
Just because I had to type it out and this might save someone the trouble 🙂
Mavis Beacon would be proud 🙂