Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Can Splunk read a file in JSON format?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pfabrizi
Path Finder
06-28-2018
01:40 PM
We are trying to pull in slack data using function1 which is not work as we are using the new api. We had a call with slack and they suggested to create a custom app. In the interim what we would like to is create a script that fetches the slack events and writes to a file and then use a file monitor to retrieve the events.
Slack returns the data in json, so how would I setup the file monitor to read json? Or would I just format the data in the script that retrieves slack?
Thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
amiftah
Communicator
06-28-2018
05:44 PM
@pfabrizi:
your inputs.conf should look like this:
[monitor:////test/sample.json]
disabled = false
index = yourIndex
sourcetype = _json
You can read more about monitoring here: http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
amiftah
Communicator
06-28-2018
05:44 PM
@pfabrizi:
your inputs.conf should look like this:
[monitor:////test/sample.json]
disabled = false
index = yourIndex
sourcetype = _json
You can read more about monitoring here: http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pfabrizi
Path Finder
06-29-2018
03:06 AM
Thank You!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
amiftah
Communicator
06-28-2018
01:49 PM
Yes you can.
There is a predefined sourcetype for json called _json
https://docs.splunk.com/Documentation/Splunk/7.1.1/Data/Listofpretrainedsourcetypes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pfabrizi
Path Finder
06-28-2018
05:40 PM
Hi Amiftah,
So I would just add this to my inputs.conf?
source=_json
sourcetype=box
thanks!
Get Updates on the Splunk Community!
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
