How to assign the correct sourcetype configuration...

irfahlevi · ‎01-18-2015

Hi All,

I have a problem when trying to add my .json file into splunk. I have a problem with the sourcetype setting. I have tried to pick json type but nothing is detected. I am able to see some part of the data when i pick system defaults.

Below is a sample of my .json file:

{ "data_source_name":"www.motorshank.com",
        "segment":["20150107090842"],
        "data_source":"smart.social.crawler",
        "digest":["81ee304e17b919c0ef00fcf420c3d316"],
        "tstamp":["2015-01-07T02:10:33.218Z"],
        "date":["2014-11-28T18:10:34.291Z"],
        "url":"http://www.motorshank.com/%e0%b8%a3%e0%b8%b2%e0%b8%84%e0%b8%b2-toyota-%e0%b8%9b%e0%b8%a3%e0%b8%b0%e0%b8%88%e0%b8%b3%e0%b8%9b%e0%b8%b5-2013-2014.html",
        "id":"http://www.motorshank.com/%e0%b8%a3%e0%b8%b2%e0%b8%84%e0%b8%b2-toyota-%e0%b8%9b%e0%b8%a3%e0%b8%b0%e0%b8%88%e0%b8%b3%e0%b8%9b%e0%b8%b5-2013-2014.html",
        "body":["ราคา Toyota ในตลาดรถยนต์ ประจำปี 2013-2014 ],
        "author":["shawshank"],
        "title":["ราคา Toyota ในตลาดรถยนต์ ประจำปี 2013-2014"],
        "data_source_type":"News",
        "boost":["Infinity"],
        "_version_":1489604275253280768,
        "timestamp":"2015-01-07T02:21:51.74Z"}

dolivasoh · ‎01-19-2015

try these

sourcetype = json
KV_MODE = json
TRUNCATE = 0

How to assign the correct sourcetype configuration for indexing JSON data?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!