Deployment Architecture

Indexing JSON - problem

bugnet
Path Finder

Hi all,

I have json data that incoming from FIREEYE but can't parsing.
I'm working with cluster environment.

inputs.conf on the heavy forwarder:

Blockquote

[tcp://6012]
index=fire_eye
sourcetype=_json
disabled=0

Blockquote

The events shown in Splunk but not parsing.

Tags (1)
0 Karma

bugnet
Path Finder

Hi,

As I mentioned - I'm working with cluster environment.
accordingly, Where I need to edit the props.conf? in the cluster master?

0 Karma

aakwah
Builder

Hello,

I think you should assing json KV_MODE for your sourcetype, stantz like this in props.conf

[_json] 
KV_MODE = json

May be you need to set TIME_FORMAT and LINE_BREAKER as well.

If the above doesn't work thanks to send sample from log.

Regards

0 Karma
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...