Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field Extraction from Nested Json during Index time

Poojitha
Communicator
‎06-17-2024 11:12 PM

Hi All,

 

 

TagData [ [-]
     { [-]
       Key: Application
       Value: Test_App
     }
     { [-]
       Key: Email
       Value: [email protected]
     }
]

 

 


I have nested json data as above.

I want to extract Email field value and map it to new field - owner_email . This need to be done during indexing time.

With normal splunk search , I am getting way :

index=*_test sourcetype="test:sourcetype" source="*:test" 
| array2object path="TagData" key="Key" value="Value"   
| rename "TagData.Email" as owner_email


Please help me how to achieve this during indexing time. How do I update props.conf file ?

Regards,
PNV

Labels (1)
Labels
0 Karma
Reply

Poojitha
Communicator
‎06-18-2024 12:18 AM

@gcusello : Thanks for your response.

Story in short, I want to map certificate details from one of the sources to fields in certificate datamodel.  https://docs.splunk.com/Documentation/CIM/5.3.2/User/Certificates.
This is my requirment.

I have mapped two fields using FIELDALIAS - ssl_issuer and ssl_end_time.

Now I want to map TagData.Email to ssl_issuer_email. I am using these fields further.

Regards,
PNV

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-18-2024 01:34 AM

Hi @Poojitha,

to do this you don't need to define fields at index time, but also at search time you can load your data in Data Models.

Ciao.

Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎06-17-2024 11:28 PM

Hi @Poojitha ,

the first question is why?

create fields at index time gives additional load to the indexers during indexing, this is possibe if you haven't a big volume of data.

anyway you have to use the way to create fields at index time descripted at https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Configureindex-timefieldextraction 

an ingestions eval then you have to use an ingest eval action descripted at https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/IngestEval

in props.conf

[your_sourcetype]
TRANSFORMS-eval1 =eval1

in transforms:

[eval1]
INGEST_EVAL = field3=json_extract(email,Tagdata{}.Email)

(please check the path of your json field

in fields.conf

[username]
INDEXED=true

 Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...