Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Field Extraction from Nested Json during Index time

Poojitha
Communicator
‎06-17-2024 11:12 PM

Hi All,

 

 

TagData [ [-]
     { [-]
       Key: Application
       Value: Test_App
     }
     { [-]
       Key: Email
       Value: test@abc.com
     }
]

 

 


I have nested json data as above.

I want to extract Email field value and map it to new field - owner_email . This need to be done during indexing time.

With normal splunk search , I am getting way :

index=*_test sourcetype="test:sourcetype" source="*:test" 
| array2object path="TagData" key="Key" value="Value"   
| rename "TagData.Email" as owner_email


Please help me how to achieve this during indexing time. How do I update props.conf file ?

Regards,
PNV

Labels (1)
Labels
0 Karma
Reply

Poojitha
Communicator
‎06-18-2024 12:18 AM

@gcusello : Thanks for your response.

Story in short, I want to map certificate details from one of the sources to fields in certificate datamodel.  https://docs.splunk.com/Documentation/CIM/5.3.2/User/Certificates.
This is my requirment.

I have mapped two fields using FIELDALIAS - ssl_issuer and ssl_end_time.

Now I want to map TagData.Email to ssl_issuer_email. I am using these fields further.

Regards,
PNV

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-18-2024 01:34 AM

Hi @Poojitha,

to do this you don't need to define fields at index time, but also at search time you can load your data in Data Models.

Ciao.

Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎06-17-2024 11:28 PM

Hi @Poojitha ,

the first question is why?

create fields at index time gives additional load to the indexers during indexing, this is possibe if you haven't a big volume of data.

anyway you have to use the way to create fields at index time descripted at https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Configureindex-timefieldextraction 

an ingestions eval then you have to use an ingest eval action descripted at https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/IngestEval

in props.conf

[your_sourcetype]
TRANSFORMS-eval1 =eval1

in transforms:

[eval1]
INGEST_EVAL = field3=json_extract(email,Tagdata{}.Email)

(please check the path of your json field

in fields.conf

[username]
INDEXED=true

 Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...