Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to extract keys and values from the JSON data from data received from the Modular Input?

marrette
Path Finder
‎03-11-2019 08:27 PM

Hi all,

Sorry I know this has been asked a million and one times here before but none of the previous answers seem to work for me.

I'm writing a modular input to collect data from another system using it's API. The modular input is working, it's getting the data, it's passing it into Splunk via XML streaming. It even seems like Splunk recognises it's JSON data (I can search for it and the output is nicely formatted as JSON). But the keys and values aren't being extracted into fields - which is really annoying because I can't search the data via a key value immediately.

I've tried adding "INDEXED_EXTRACTIONS = json" to the props.conf in default in the app on the heavy forwarder it's deployed on - but that's made no difference. I also tried adding "kv_mode = json" in the props.conf on the search head and that didn't help either.

Ideally I'd like to make it so this modular input causes Splunk to extract the key-value pairs from the data as it's indexed.

Is this possible? Or should I be attempting this in another way?

Thanks
Eddie

0 Karma
Reply

skalliger
Motivator
‎03-12-2019 04:52 AM

Either you use INDEXED_EXTRACTIONS or KV_MODE, but not both. Set KV_MODE = none on your Search Head's props.conf if you really want to have indexed fields.

Skalli

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎03-11-2019 08:32 PM

Both of these attempts should be correct to extract keys. I recommend KV_MODE = json becuase Splunk's strength is that its a search-time platform. If its doing the nice formatting, then that means its valid JSON. Might be worth using btool to check the sourcetype is definitely KV_MODE = json

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎03-11-2019 09:59 PM

Also make sure you aren't in fast mode.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...