Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Field Extraction from Nested Json during Index time

Poojitha
Communicator
‎06-17-2024 11:12 PM

Hi All,

 

 

TagData [ [-]
     { [-]
       Key: Application
       Value: Test_App
     }
     { [-]
       Key: Email
       Value: test@abc.com
     }
]

 

 


I have nested json data as above.

I want to extract Email field value and map it to new field - owner_email . This need to be done during indexing time.

With normal splunk search , I am getting way :

index=*_test sourcetype="test:sourcetype" source="*:test" 
| array2object path="TagData" key="Key" value="Value"   
| rename "TagData.Email" as owner_email


Please help me how to achieve this during indexing time. How do I update props.conf file ?

Regards,
PNV

Labels (1)
Labels
0 Karma
Reply

Poojitha
Communicator
‎06-18-2024 12:18 AM

@gcusello : Thanks for your response.

Story in short, I want to map certificate details from one of the sources to fields in certificate datamodel.  https://docs.splunk.com/Documentation/CIM/5.3.2/User/Certificates.
This is my requirment.

I have mapped two fields using FIELDALIAS - ssl_issuer and ssl_end_time.

Now I want to map TagData.Email to ssl_issuer_email. I am using these fields further.

Regards,
PNV

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-18-2024 01:34 AM

Hi @Poojitha,

to do this you don't need to define fields at index time, but also at search time you can load your data in Data Models.

Ciao.

Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎06-17-2024 11:28 PM

Hi @Poojitha ,

the first question is why?

create fields at index time gives additional load to the indexers during indexing, this is possibe if you haven't a big volume of data.

anyway you have to use the way to create fields at index time descripted at https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Configureindex-timefieldextraction 

an ingestions eval then you have to use an ingest eval action descripted at https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/IngestEval

in props.conf

[your_sourcetype]
TRANSFORMS-eval1 =eval1

in transforms:

[eval1]
INGEST_EVAL = field3=json_extract(email,Tagdata{}.Email)

(please check the path of your json field

in fields.conf

[username]
INDEXED=true

 Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What did the zero say to the eight?

June 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
Top