How can I forward json data with header?

kiwibenis · ‎11-06-2022

I am trying to get a json formated file into splunk. The file is being forwarded from a UF with monitor, it contains data from aircrafts (ADS-B Data). This is a sample:

{ "now" : 1667769466.071,
"messages" : 58728034,
"aircraft" : [
{"hex":"8963e3","type":"adsb_icao","flight":"UAE3KE ","r":"A6-EPT","t":"B77W","alt_baro":35000,"alt_geom":34475,"gs":526.3,"ias":281,"tas":486,"mach":0.828,"wd":241,"ws":45,"oat":-46,"tat":-15,"track":91.85,"roll":-0.35,"mag_heading":93.69,"true_heading":94.78,"baro_rate":0,"geom_rate":0,"squawk":"7313","emergency":"none","category":"A5","nav_qnh":1013.0,"nav_altitude_mcp":35008,"nav_heading":94.92,"lat":52.301067,"lon":1.596706,"nic":8,"rc":186,"seen_pos":0.864,"r_dst":186.487,"r_dir":295.3,"version":2,"nic_baro":1,"nac_p":9,"nac_v":1,"sil":3,"sil_type":"perhour","gva":2,"sda":2,"alert":0,"spi":0,"mlat":[],"tisb":[],"messages":24165,"seen":0.9,"rssi":-25.1},
{"hex":"47a531","type":"adsb_icao","flight":"NOZ7YW ","r":"LN-NGS","t":"B738","alt_baro":33000,"alt_geom":32400,"gs":468.2,"ias":258,"tas":430,"mach":0.732,"wd":221,"ws":41,"oat":-46,"tat":-22,"track":37.19,"track_rate":-0.22,"roll":-5.45,"mag_heading":35.86,"true_heading":36.99,"baro_rate":0,"geom_rate":0,"squawk":"1410","category":"A3","nav_qnh":1013.6,"nav_altitude_mcp":32992,"nav_altitude_fms":33008,"nav_heading":35.16,"lat":52.396033,"lon":1.734820,"nic":8,"rc":186,"seen_pos":10.505,"r_dst":184.026,"r_dir":297.5,"version":2,"nic_baro":1,"nac_p":9,"nac_v":1,"sil":3,"sil_type":"perhour","gva":2,"sda":2,"alert":0,"spi":0,"mlat":[],"tisb":[],"messages":8664,"seen":6.8,"rssi":-30.0},
{"hex":"484b91","type":"adsb_icao","flight":"KLM1293 ","r":"PH-BGK","t":"B737","alt_baro":40000,"alt_geom":39400,"gs":457.5,"ias":241,"tas":466,"mach":0.796,"wd":229,"ws":32,"oat":-47,"tat":-19,"track":304.94,"track_rate":-0.03,"roll":-0.18,"mag_heading":300.06,"true_heading":301.14,"baro_rate":32,"geom_rate":-64,"squawk":"6260","category":"A0","nav_qnh":1013.2,"nav_altitude_mcp":40000,"lat":53.694841,"lon":1.827527,"nic":8,"rc":186,"seen_pos":4.051,"r_dst":224.752,"r_dir":316.3,"version":0,"nac_p":8,"nac_v":0,"sil":2,"sil_type":"unknown","alert":0,"spi":0,"mlat":[],"tisb":[],"messages":4336025,"seen":2.2,"rssi":-30.0},
{"hex":"406754","type":"adsb_icao","flight":"EZY36HD ","r":"G-EZWC","t":"A320","alt_baro":38000,"alt_geom":37900,"gs":420.8,"track":320.79,"baro_rate":-256,"squawk":"5730","category":"A3","lat":49.963852,"lon":1.830091,"nic":8,"rc":186,"seen_pos":49.821,"r_dst":179.161,"r_dir":250.1,"version":2,"nac_v":1,"sil_type":"perhour","alert":0,"spi":0,"mlat":[],"tisb":[],"messages":122526,"seen":31.2,"rssi":-27.9},
{"hex":"400f99","type":"mode_s","r":"G-DBCJ","t":"A319","alt_baro":23000,"alt_geom":22625,"gs":475.2,"track":69.81,"baro_rate":0,"nac_v":1,"alert":0,"spi":0,"mlat":[],"tisb":[],"messages":11,"seen":2.3,"rssi":-31.1}
]
}

How can I get every line (starting with "hex") in a seperate event and all fields extracted?

Idealy the timestamp of every event is the one from the header line 1 named "now".

How can I forward json data with header?

field extraction

JSON

Linux

monitor

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation

How can I forward json data with header?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.