Getting Data In

How to extract JSON at index time?

adexteracc
Explorer

I am trying to extract some json data at index time. I have found the article about using regular expressions to create custom fields but regex is not well suited to extracting json. I understand that spath can take out the json data during a search but in this case it is required that I extract the data into fields at index time.

0 Karma

jluo_splunk
Splunk Employee
Splunk Employee

You can ingest the data using the _json sourcetype - this will enable indexed field extractions.

Alternatively, if you don't want to keep the _json sourcetype name, you can set INDEXED_EXTRACTION=JSON in props.conf.

0 Karma

hortonew
Builder

Have you already tried applying INDEXED_EXTRACTIONS=JSON in your props.conf at your universal forwarder level (or wherever the input is configured)?

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...