Solved: Can Splunk read a file in JSON format?

pfabrizi · ‎06-28-2018

We are trying to pull in slack data using function1 which is not work as we are using the new api. We had a call with slack and they suggested to create a custom app. In the interim what we would like to is create a script that fetches the slack events and writes to a file and then use a file monitor to retrieve the events.
Slack returns the data in json, so how would I setup the file monitor to read json? Or would I just format the data in the script that retrieves slack?

Thanks!

amiftah · ‎06-28-2018

@pfabrizi:

your inputs.conf should look like this:

[monitor:////test/sample.json]
disabled = false
index = yourIndex
sourcetype = _json

You can read more about monitoring here: http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

View solution in original post

amiftah · ‎06-28-2018

@pfabrizi:

your inputs.conf should look like this:

[monitor:////test/sample.json]
disabled = false
index = yourIndex
sourcetype = _json

You can read more about monitoring here: http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

pfabrizi · ‎06-29-2018

Thank You!

amiftah · ‎06-28-2018

Yes you can.
There is a predefined sourcetype for json called _json

https://docs.splunk.com/Documentation/Splunk/7.1.1/Data/Listofpretrainedsourcetypes

pfabrizi · ‎06-28-2018

Hi Amiftah,
So I would just add this to my inputs.conf?

source=_json
sourcetype=box

thanks!

Can Splunk read a file in JSON format?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

Can Splunk read a file in JSON format?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits