Solved: Can Splunk read a file in JSON format?

pfabrizi · ‎06-28-2018

We are trying to pull in slack data using function1 which is not work as we are using the new api. We had a call with slack and they suggested to create a custom app. In the interim what we would like to is create a script that fetches the slack events and writes to a file and then use a file monitor to retrieve the events.
Slack returns the data in json, so how would I setup the file monitor to read json? Or would I just format the data in the script that retrieves slack?

Thanks!

amiftah · ‎06-28-2018

@pfabrizi:

your inputs.conf should look like this:

[monitor:////test/sample.json]
disabled = false
index = yourIndex
sourcetype = _json

You can read more about monitoring here: http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

View solution in original post

amiftah · ‎06-28-2018

@pfabrizi:

your inputs.conf should look like this:

[monitor:////test/sample.json]
disabled = false
index = yourIndex
sourcetype = _json

You can read more about monitoring here: http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

pfabrizi · ‎06-29-2018

Thank You!

amiftah · ‎06-28-2018

Yes you can.
There is a predefined sourcetype for json called _json

https://docs.splunk.com/Documentation/Splunk/7.1.1/Data/Listofpretrainedsourcetypes

pfabrizi · ‎06-28-2018

Hi Amiftah,
So I would just add this to my inputs.conf?

source=_json
sourcetype=box

thanks!

Can Splunk read a file in JSON format?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Can Splunk read a file in JSON format?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR