Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field Extraction from Nested Json during Index time

Poojitha
Communicator
‎06-17-2024 11:12 PM

Hi All,

 

 

TagData [ [-]
     { [-]
       Key: Application
       Value: Test_App
     }
     { [-]
       Key: Email
       Value: test@abc.com
     }
]

 

 


I have nested json data as above.

I want to extract Email field value and map it to new field - owner_email . This need to be done during indexing time.

With normal splunk search , I am getting way :

index=*_test sourcetype="test:sourcetype" source="*:test" 
| array2object path="TagData" key="Key" value="Value"   
| rename "TagData.Email" as owner_email


Please help me how to achieve this during indexing time. How do I update props.conf file ?

Regards,
PNV

Labels (1)
Labels
0 Karma
Reply

Poojitha
Communicator
‎06-18-2024 12:18 AM

@gcusello : Thanks for your response.

Story in short, I want to map certificate details from one of the sources to fields in certificate datamodel.  https://docs.splunk.com/Documentation/CIM/5.3.2/User/Certificates.
This is my requirment.

I have mapped two fields using FIELDALIAS - ssl_issuer and ssl_end_time.

Now I want to map TagData.Email to ssl_issuer_email. I am using these fields further.

Regards,
PNV

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-18-2024 01:34 AM

Hi @Poojitha,

to do this you don't need to define fields at index time, but also at search time you can load your data in Data Models.

Ciao.

Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎06-17-2024 11:28 PM

Hi @Poojitha ,

the first question is why?

create fields at index time gives additional load to the indexers during indexing, this is possibe if you haven't a big volume of data.

anyway you have to use the way to create fields at index time descripted at https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Configureindex-timefieldextraction 

an ingestions eval then you have to use an ingest eval action descripted at https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/IngestEval

in props.conf

[your_sourcetype]
TRANSFORMS-eval1 =eval1

in transforms:

[eval1]
INGEST_EVAL = field3=json_extract(email,Tagdata{}.Email)

(please check the path of your json field

in fields.conf

[username]
INDEXED=true

 Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...