Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with oneshot json: Why is | kvmode incorrect?

NullZero
Path Finder
‎10-17-2022 08:40 AM

I'm using a distributed Splunk Enterprise environment with over 15 peers at the Indexer Tier.  I have some JSON data in a small file less than 500KB and I'm confident that the JSON is parsed correctly and this has been verified in Python with a simple check script.

issued command:

./splunk add oneshot "/tmp/<file.json>" -sourcetype xxxx:xxxx -index <index>

The command completes and the data is ingested.

However, it has parsed as an event per line and not as JSON. Obviously in props.conf the default is not set for 'KV_MODE = json'. There is no option in the CLI when using oneshot to set as JSON.

Any thoughts or guidance please. I am a certified Splunk PS consultant but everyday brings something new for all of us right.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-17-2022 09:55 AM

The sourcetype specified in the oneshot command should be one that properly processes JSON.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-17-2022 09:55 AM

The sourcetype specified in the oneshot command should be one that properly processes JSON.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

NullZero
Path Finder
‎10-18-2022 07:03 AM

The following did ingest the data as JSON, and provide KV pairs:

./splunk add oneshot "/tmp/<file.json>" -sourcetype _json -index <index>

Reply
Solved! Jump to solution

NullZero
Path Finder
‎10-17-2022 12:36 PM

Thanks @richgalloway that seems like a really obvious solution now you say it. Referencing the docs I think therefore I should trial:

  • _json
  • json_no_timestamp

I appreciate the feedback and I will let you and the community know. The obvious drawback here is that you can't use a custom sourcetype per the client environment but I suppose oneshot is not designed for scale and batch or monitor should be used for the sustainable solution.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...