Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with oneshot json: Why is | kvmode incorrect?

NullZero
Path Finder
‎10-17-2022 08:40 AM

I'm using a distributed Splunk Enterprise environment with over 15 peers at the Indexer Tier.  I have some JSON data in a small file less than 500KB and I'm confident that the JSON is parsed correctly and this has been verified in Python with a simple check script.

issued command:

./splunk add oneshot "/tmp/<file.json>" -sourcetype xxxx:xxxx -index <index>

The command completes and the data is ingested.

However, it has parsed as an event per line and not as JSON. Obviously in props.conf the default is not set for 'KV_MODE = json'. There is no option in the CLI when using oneshot to set as JSON.

Any thoughts or guidance please. I am a certified Splunk PS consultant but everyday brings something new for all of us right.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-17-2022 09:55 AM

The sourcetype specified in the oneshot command should be one that properly processes JSON.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

anwarmian
Communicator
‎09-07-2024 09:27 AM

We need to keep in mind that KV_MODE applies to search time only and the field extractons ae best to be done at search time.  Therefore, at index time if you have the following parameters set you should be good.

props.conf

[sourcetypename]
LINE_BREAKER
TIME_PREFIX
MAX_TIMESTAMP_LOOKAHEAD
TIME_FORMAT
TRUNCATE
SHOULD_LINEMERGE = false # LINE_BREAKER should be properly set so you can keep SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-17-2022 09:55 AM

The sourcetype specified in the oneshot command should be one that properly processes JSON.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

NullZero
Path Finder
‎10-18-2022 07:03 AM

The following did ingest the data as JSON, and provide KV pairs:

./splunk add oneshot "/tmp/<file.json>" -sourcetype _json -index <index>

Reply
Solved! Jump to solution

NullZero
Path Finder
‎10-17-2022 12:36 PM

Thanks @richgalloway that seems like a really obvious solution now you say it. Referencing the docs I think therefore I should trial:

  • _json
  • json_no_timestamp

I appreciate the feedback and I will let you and the community know. The obvious drawback here is that you can't use a custom sourcetype per the client environment but I suppose oneshot is not designed for scale and batch or monitor should be used for the sustainable solution.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...