Solved: Kafka Messaging Modular Input: How can I use spath...

jonathanwood · ‎08-25-2015

I am using the Kafka Messaging Modular Input (https://splunkbase.splunk.com/app/1817/ ) to get data in Splunk. The data coming over Kafka is JSON.

When it gets to splunk, the events look like this:

Tue Aug 25 16:07:37 UTC 2015 name="kafka_msg_received" event_id="" msg_body="{"type":"server.statistics","current-time":1440518856.847175,"server-start-time":1440518271.104432,"node-id":"bd308a2c-c291-5868-bd97-0b06c27b536b","content":{"reset-time":1440518271.367789}}"

... | spath input=msg_body does not generate any fields from the JSON.

How can I use spath to parse the JSON in these events?

Damien_Dallimor · ‎08-25-2015

Might be easier for you to plugin a custom message handler to just dump the JSON. There is one that ships by default with the App.

View solution in original post

Damien_Dallimor · ‎08-25-2015

Might be easier for you to plugin a custom message handler to just dump the JSON. There is one that ships by default with the App.

jonathanwood · ‎08-25-2015

Works like a charm. Thanks!

petehmrc · ‎11-06-2015

com.splunk.modinput.kafka.BodyOnlyMessageHandler

Just because I had to type it out and this might save someone the trouble 🙂

Damien_Dallimor · ‎11-06-2015

Mavis Beacon would be proud 🙂

Kafka Messaging Modular Input: How can I use spath to parse JSON in events coming over Kafka?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor