Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to convert the data from JSON format to raw logs?

debjit_k
Path Finder
‎12-19-2022 07:16 PM

Hi ,

After onboarding trendmicro XDR we are facing few issue. 

1. Getting logs in JSON format 

2. Data is not pursed.

81DD1513-64A2-4028-9828-76E6F5A8FD02.jpeg

BCCBFC92-914E-4DF2-A7B5-D3FF2A0DA2E8.jpeg

  

Queries

1.Can you please help us out how to convert the data from JSON format to raw logs 

2. How to purse the data not getting any add on.

 

Note: attaching snap 

We are getting data and in below there is an option as show as raw text when we are clicking on it is coming in same line. Kindly help us out how to solve this issue

 

Thanks

Debjit

Labels (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-19-2022 11:59 PM

Hi @debjit_k,

at first I don't know why you don't like json, you can ghave all the extracted fields using "INDEXED_EXTRACTIONS = JSON" in the forwarder and you'll have all of them.

If you want them in raw format, don't use "INDEXED_EXTRACTIONS = JSON" but you have to manually extract all fields: it isn't a good idea!

Also the second idea isn't so good: it's always better to put all configurations in an Add-on and don't put them in $SPLUNK_HOME/etc/system/local.

Ciao.

Giuseppe

Reply

debjit_k
Path Finder
‎12-20-2022 08:12 AM

Hi @gcusell,

Thank you for the suggestion..

 

I though on JSON format the data is not pursed properly.

But in _raw I can see much more information which is not coming in JSON format. I believe we need to extract the required information and create a field.. 

Is my understanding is correct? 

Thank 

Debjit 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-20-2022 11:28 PM

Hi @debjit_k,

in this case I hint to work in data source parsing and not in working on text data because the work to extract fields is higher.

When you share a source, put it in text mode in the Code Sample Window, not in a screenshot so we can use it.

Ciao,

Giuseppe

0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎12-20-2022 01:25 PM

Can you expand on what you mean by not seeing all the information in the JSON data? I assume you don't want to click on the "+" in the JSON syntax highlighted event data to expand the list? Even then, you should have most of the field values you need on the field list on the left hand side.

Just a warning, if you use INDEXED_EXTRACTIONS=JSON (props.conf) on the data ingest side, you need to use KV_MODE=none (props.conf) for your sourcetype on your search head to prevent issues with duplicate field values.

Reply

debjit_k
Path Finder
‎12-20-2022 06:38 PM

Hi 

Thank you for clearing the doubt.. 

Yes we also put KV_MODE=noneon props.conf.

One concern im having even though if I can get data on search and reporting app but im not getting any data on the app trend micro vision one for splunk. Can you please guide me how to solve this issue.

 

Thanks 

Debjit 

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...