Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to convert the data from JSON format to raw logs?

debjit_k
Path Finder
‎12-19-2022 07:16 PM

Hi ,

After onboarding trendmicro XDR we are facing few issue. 

1. Getting logs in JSON format 

2. Data is not pursed.

81DD1513-64A2-4028-9828-76E6F5A8FD02.jpeg

BCCBFC92-914E-4DF2-A7B5-D3FF2A0DA2E8.jpeg

  

Queries

1.Can you please help us out how to convert the data from JSON format to raw logs 

2. How to purse the data not getting any add on.

 

Note: attaching snap 

We are getting data and in below there is an option as show as raw text when we are clicking on it is coming in same line. Kindly help us out how to solve this issue

 

Thanks

Debjit

Labels (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-19-2022 11:59 PM

Hi @debjit_k,

at first I don't know why you don't like json, you can ghave all the extracted fields using "INDEXED_EXTRACTIONS = JSON" in the forwarder and you'll have all of them.

If you want them in raw format, don't use "INDEXED_EXTRACTIONS = JSON" but you have to manually extract all fields: it isn't a good idea!

Also the second idea isn't so good: it's always better to put all configurations in an Add-on and don't put them in $SPLUNK_HOME/etc/system/local.

Ciao.

Giuseppe

Reply

debjit_k
Path Finder
‎12-20-2022 08:12 AM

Hi @gcusell,

Thank you for the suggestion..

 

I though on JSON format the data is not pursed properly.

But in _raw I can see much more information which is not coming in JSON format. I believe we need to extract the required information and create a field.. 

Is my understanding is correct? 

Thank 

Debjit 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-20-2022 11:28 PM

Hi @debjit_k,

in this case I hint to work in data source parsing and not in working on text data because the work to extract fields is higher.

When you share a source, put it in text mode in the Code Sample Window, not in a screenshot so we can use it.

Ciao,

Giuseppe

0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎12-20-2022 01:25 PM

Can you expand on what you mean by not seeing all the information in the JSON data? I assume you don't want to click on the "+" in the JSON syntax highlighted event data to expand the list? Even then, you should have most of the field values you need on the field list on the left hand side.

Just a warning, if you use INDEXED_EXTRACTIONS=JSON (props.conf) on the data ingest side, you need to use KV_MODE=none (props.conf) for your sourcetype on your search head to prevent issues with duplicate field values.

Reply

debjit_k
Path Finder
‎12-20-2022 06:38 PM

Hi 

Thank you for clearing the doubt.. 

Yes we also put KV_MODE=noneon props.conf.

One concern im having even though if I can get data on search and reporting app but im not getting any data on the app trend micro vision one for splunk. Can you please guide me how to solve this issue.

 

Thanks 

Debjit 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...