I'm using a distributed Splunk Enterprise environment with over 15 peers at the Indexer Tier. I have some JSON data in a small file less than 500KB and I'm confident that the JSON is parsed correctly and this has been verified in Python with a simple check script.
issued command:
./splunk add oneshot "/tmp/<file.json>" -sourcetype xxxx:xxxx -index <index>
The command completes and the data is ingested.
However, it has parsed as an event per line and not as JSON. Obviously in props.conf the default is not set for 'KV_MODE = json'. There is no option in the CLI when using oneshot to set as JSON.
Any thoughts or guidance please. I am a certified Splunk PS consultant but everyday brings something new for all of us right.
The sourcetype specified in the oneshot command should be one that properly processes JSON.
The sourcetype specified in the oneshot command should be one that properly processes JSON.
The following did ingest the data as JSON, and provide KV pairs:
./splunk add oneshot "/tmp/<file.json>" -sourcetype _json -index <index>
Thanks @richgalloway that seems like a really obvious solution now you say it. Referencing the docs I think therefore I should trial:
I appreciate the feedback and I will let you and the community know. The obvious drawback here is that you can't use a custom sourcetype per the client environment but I suppose oneshot is not designed for scale and batch or monitor should be used for the sustainable solution.