Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure heavy forwarder to extract multivalue nested json ?

prashant5847
Loves-to-Learn Everything
‎06-29-2023 11:09 AM

I have following set up in place and I am sending events to splunk cloud from K8S cluster. I am using HF for data manipulation. 

K8S cluster  --> Heavy Forwarder --> Splunk Cloud

I received all events send by k8s cluster but not all field from events are getting extracted in json. 

Current Output


{ [-]
  action: modify
  containerid: 278e7bddd8b50ad885077
  count: 1
  host: example.com
  pid: 125
  time: 1456789023
  timestamp: 14567890234356
  metrics: {"metrics":{\"name1\":{\"m1\":\"downsample\",\"m2\":\"sum\"},\"name2\":{\"Headers\":{\"Selector\":{\"m1\":\"downsample\",\"m2\":\"sum\"}}}"}
  uid: 0
  user: 0
}

Looking for convert all data in JSON key value format as shown in expected output. 

Expected Output

 

{ [-]
  action: modify
  containerid: 278e7bddd8b50ad885077
  count: 1
  host: example.com
  pid: 125
  time: 1456789023
  timestamp: 14567890234356
  metrics: {[-]
     metrics:{ [-]
         name1:{ [-]
           m1: downsample
           m2: sum
         }
         name2:{ [-]
           Headers :{ [-]
             Selector :{ [-]
               m1: downsample
               m2: sum
             }
           }
         }
     }
  }
  uid: 0
  user: 0
}

 

  How I need to configure Splunk Heavy Forwarder to extract  multivalued nested json ?

Labels (3)
0 Karma
Reply

prashant5847
Loves-to-Learn Everything
‎07-12-2023 01:46 AM

Hi @venkatasri 

Thank you for your suggestion. Yes, after formatting data in proper JSON format, it extracted successfully. 

Further, we would like to move 'm1:  downsample' key value pair which is in Selector in same JSON message header part below host and above pid. Is this possible from splunk heavy forwarder ? If yes, what configuration changes I need to apply on the message ?

Thank you,
Prashant

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-03-2023 03:59 PM

Hi @prashant5847 , Splunk is good at auto extracting the JSON event if it is well formatted.

Did you search it on Search head and saw the fields not being extracted correctly? Choose search mode - Smart/Verbose.

If you still can not find it, you don't need to extract it on Heavy forwarder. Search head will do the extractions for you.
Either you could use spath command - Example  <your search return json event> | spath  - This is inline search.

Or update source type settings (props.conf) on search head to include following config-

[<sourcetype-name-of-json-events>]
AUTO_KV_JSON = true
KV_MODE = json

Hope this helps!

------------------------------

Srikanth Yarlagadda.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...