Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you extract JSON syslog automatically?

tkwaller
Builder
‎06-13-2017 01:07 PM

Trying to get my syslog in json format to extract properly.

I've tried using INDEXED_EXTRACTIONS=JSON as well as KV_MODE=json(not at the same time) and neither have worked.

Here is a short sample log

Jun 13 15:41:27 host.domain.com {"account_id":"678", "legacy_domain_id":"12345", "visitor_ip":"xx.xxx.xxx.xx", "time":"1497368487.007","request":"GET /stuff/search/stuff/morestuff"}

Unfortunately it doesnt seem to be working as nothing gets extracted.
I'm sure its something I'm doing or something with the log format.
Any help would be apprciated.
Thanks!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

masonmorales
Influencer
‎06-13-2017 02:05 PM

JSON will not auto-extract with the timestamp/host prefix in your data. You can use a SEDCMD to strip it out in props.conf.

e.g.

[my_sourcetype]
SEDCMD-strip_prefix = s/^[^{]+//g
INDEXED_EXTRACTIONS=JSON
KV_MODE=none

You'll want to add TIME_PREFIX, TIME_FORMAT, etc. as well.

View solution in original post

Reply
Solved! Jump to solution
Solution

masonmorales
Influencer
‎06-13-2017 02:05 PM

JSON will not auto-extract with the timestamp/host prefix in your data. You can use a SEDCMD to strip it out in props.conf.

e.g.

[my_sourcetype]
SEDCMD-strip_prefix = s/^[^{]+//g
INDEXED_EXTRACTIONS=JSON
KV_MODE=none

You'll want to add TIME_PREFIX, TIME_FORMAT, etc. as well.

Reply
Solved! Jump to solution

tkwaller
Builder
‎06-19-2017 08:03 AM

Hello
Sorry for the delay, was super busy with work.
I knew it had to be something with the preceding data but wasn't sure. I added to the config and now it looks as such:
[syslogtest]
SEDCMD-strip_prefix = s/^[^{]+//g
INDEXED_EXTRACTIONS=JSON
KV_MODE=none
DATETIME_CONFIG =
TIME_FORMAT = %s.%6N
TIME_PREFIX = "time":"
NO_BINARY_CHECK = true
category = Custom
description = syslogtest
disabled = false
pulldown_type = true

I left the default stuff there.

Only now parsing doesnt take place:
06-19-2017 09:36:04.310 -0500 ERROR JsonLineBreaker - JSON StreamId:5377901818726410745 had parsing error:Unexpected character while looking for value: 'J' - data_source="C:\syslog.log", data_host="L-BDL-10007862", data_sourcetype="syslogtest"

Any thoughts?
Thanks!

0 Karma
Reply
Solved! Jump to solution

darlas
Communicator
‎02-23-2018 01:01 PM

Hi.

I'm facing the same issue.

I've added the following to my props.conf but still not working.

SEDCMD-StripHeader = s/^[^{]+//g
KV_MODE=json

Does the associated TA need to be pushed to indexers as well as search heads?

Does there need to be a reference later in props.conf to the SEDCMD-StripHeader line?

Thanks!

0 Karma
Reply
Solved! Jump to solution

andygerber
Path Finder
‎09-28-2017 02:35 PM

Thank you, just what I needed....

0 Karma
Reply
Solved! Jump to solution

tkwaller
Builder
‎06-19-2017 09:18 AM

So it seems it wouldn't work with:
INDEXED_EXTRACTIONS=JSON

but it DID work with:
KV_MODE=json

Thanks for the help, I appreciate it!

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...