Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with oneshot json: Why is | kvmode incorrect?

NullZero
Path Finder
‎10-17-2022 08:40 AM

I'm using a distributed Splunk Enterprise environment with over 15 peers at the Indexer Tier.  I have some JSON data in a small file less than 500KB and I'm confident that the JSON is parsed correctly and this has been verified in Python with a simple check script.

issued command:

./splunk add oneshot "/tmp/<file.json>" -sourcetype xxxx:xxxx -index <index>

The command completes and the data is ingested.

However, it has parsed as an event per line and not as JSON. Obviously in props.conf the default is not set for 'KV_MODE = json'. There is no option in the CLI when using oneshot to set as JSON.

Any thoughts or guidance please. I am a certified Splunk PS consultant but everyday brings something new for all of us right.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-17-2022 09:55 AM

The sourcetype specified in the oneshot command should be one that properly processes JSON.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

anwarmian
Communicator
‎09-07-2024 09:27 AM

We need to keep in mind that KV_MODE applies to search time only and the field extractons ae best to be done at search time.  Therefore, at index time if you have the following parameters set you should be good.

props.conf

[sourcetypename]
LINE_BREAKER
TIME_PREFIX
MAX_TIMESTAMP_LOOKAHEAD
TIME_FORMAT
TRUNCATE
SHOULD_LINEMERGE = false # LINE_BREAKER should be properly set so you can keep SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-17-2022 09:55 AM

The sourcetype specified in the oneshot command should be one that properly processes JSON.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

NullZero
Path Finder
‎10-18-2022 07:03 AM

The following did ingest the data as JSON, and provide KV pairs:

./splunk add oneshot "/tmp/<file.json>" -sourcetype _json -index <index>

Reply
Solved! Jump to solution

NullZero
Path Finder
‎10-17-2022 12:36 PM

Thanks @richgalloway that seems like a really obvious solution now you say it. Referencing the docs I think therefore I should trial:

  • _json
  • json_no_timestamp

I appreciate the feedback and I will let you and the community know. The obvious drawback here is that you can't use a custom sourcetype per the client environment but I suppose oneshot is not designed for scale and batch or monitor should be used for the sustainable solution.

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...