Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I create a field transformation using a JSON source key?

Jordan_Brough
Path Finder
‎06-29-2013 08:27 AM

I don't seem to be able to set up a field transformation using a Source Key that comes from a JSON event field.

I have events like this:

{
  "time": "2013-06-23T13:55:37+00:00",
  "handler": "UsersController#index"
}

And I'd like to extract "UsersController" and "index" from the "handler" field. I have props.conf configured with KV_MODE=json

I added this transform via the GUI:

[controller_action_transform]
CLEAN_KEYS = 1
MV_ADD = 0
REGEX = (?<controller>.*)#(?<action>.*)
SOURCE_KEY = handler

and this field extraction:

[json]
REPORT-controller_action_extraction = controller_action_transform

however, when I do a query like this:

sourcetype=json | table handler controller action

I do get results for "handler" but don't get anything for "controller" or "action":

| handler               | controller | action |
-----------------------------------------------
| UsersController#index |            |        |

If I change the transform SOURCE_KEY to "_raw" then I do get results for controller & action (though not exactly correct).

Also, I can do an inline "rex" field extraction using the "handler" field and get the correct results. That is, this works just fine:

sourcetype=json | rex field=handler "(?<controller>.*)#(?<action>.*)" | table handler controller action

Am I doing something wrong with the transform? Are JSON-extracted fields not available for use in transforms or something?

(NOTE: The above is just some sample data I created for testing this out. The real logs that I need to use this on have more data and nested keys and so forth, so a workaround that involves not using the extracted JSON fields would be pretty non-ideal.)

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

Jordan_Brough
Path Finder
‎09-16-2013 07:26 AM

I got an answer via Splunk Support.

They said:

I was able to repro. And this is a bug.

If not using the SOURCE_KEY then extractions are working.

When referring a field that was extracted using KV_MODE = json, it is not working.

I was able to find an already existing issue for that bug.

It's SPL-61046 and will probably fix in the next major release. (not maintenance release)

But there is a workaround to get it working.

Use the search like:

sourcetype=json | kv reload=t | table handler controller action

I've confirmed that the workaround does solve the problem.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Jordan_Brough
Path Finder
‎09-16-2013 07:26 AM

I got an answer via Splunk Support.

They said:

I was able to repro. And this is a bug.

If not using the SOURCE_KEY then extractions are working.

When referring a field that was extracted using KV_MODE = json, it is not working.

I was able to find an already existing issue for that bug.

It's SPL-61046 and will probably fix in the next major release. (not maintenance release)

But there is a workaround to get it working.

Use the search like:

sourcetype=json | kv reload=t | table handler controller action

I've confirmed that the workaround does solve the problem.

0 Karma
Reply
Solved! Jump to solution

apringle
Explorer
‎08-13-2015 09:13 AM

I was just curious if the referenced SPL-61046 issue was ever resolved? I am trying to do something very similar to the OP and having the same issue. I'm able to get around it by using a regex match on the _raw data, but it would be nice to be able to define the SOURCE_KEY for the JSON data.

(Also, if there is somewhere that I can view details about the referenced SPL issue, please let me know)

Reply
Solved! Jump to solution

phoenixdigital
Builder
‎08-16-2016 08:48 PM

3 years on I am still seeing this issue.

Does anyone know at what point JSON fields are extracted?

It appears to be after custom transforms.conf configs.

0 Karma
Reply
Solved! Jump to solution

vliggio
Communicator
‎01-09-2017 01:09 PM

I ping'ed my splunk support rep today and was told:

"The bug was closed with "cannot reproduce" this past October. The original issue was reported for 4.1.3 and 5.0.1.

That said, Splunk is particular about the JSON. Extraneous and/or incorrect delimiters will cause extraction to fail. Additionally, you should set KV_MODE=none if you are using INDEXED_EXTRACTIONS=json, otherwise data will be duplicated."

0 Karma
Reply
Solved! Jump to solution

mikaelbje
Motivator
‎06-25-2018 01:17 AM

I'm also trying to get this working. The only way I got it working was using the | kv reload=t trick. I tried both with KV_MODE = json and with the default. Data is ingested using the HTTP Event Collector.

Splunk 7.1.0. SPL-61046 should be reopened IMHO

0 Karma
Reply
Solved! Jump to solution

mikaelbje
Motivator
‎06-25-2018 01:23 AM

I was wrong. KV_MODE = json solved it. No need for the| kv reload=t trick

0 Karma
Reply
Solved! Jump to solution

regiteric
Engager
‎01-04-2017 04:46 PM

Got the same issue, doing the transformation on the _raw seems to be the only solution. But is is not perfect as the escaped character in the JSON value are not displayed correctly.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top