Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Fields Extraction from JSON File

newsplunker1
Path Finder
‎04-24-2020 08:09 AM

Im monitoring a JSON file and forwarding the data using UF to my indexers . Im having problems to extract the JSON fields . Here is my props file . Nothing is being extracted ( i was trying to upload a screenshot but i dont have enought points ) . i know its something with the props but im unable to figure it out . any help would be appreciated

[test]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Structured
disabled = false
pulldown_type = true

Thanks

Tags (2)
0 Karma
Reply

wwhite12
Path Finder
‎04-24-2020 08:18 AM

Check this out, https://answers.splunk.com/answers/556279/why-would-indexed-extractionsjson-in-propsconf-be.html

The props.conf has to be on the UF with the INDEXED_EXTRACTIONS and the props also has to be on the SH with the KV_MODE=NONE

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...