How to extract keys and values from the JSON data ...

marrette · ‎03-11-2019

Hi all,

Sorry I know this has been asked a million and one times here before but none of the previous answers seem to work for me.

I'm writing a modular input to collect data from another system using it's API. The modular input is working, it's getting the data, it's passing it into Splunk via XML streaming. It even seems like Splunk recognises it's JSON data (I can search for it and the output is nicely formatted as JSON). But the keys and values aren't being extracted into fields - which is really annoying because I can't search the data via a key value immediately.

I've tried adding "INDEXED_EXTRACTIONS = json" to the props.conf in default in the app on the heavy forwarder it's deployed on - but that's made no difference. I also tried adding "kv_mode = json" in the props.conf on the search head and that didn't help either.

Ideally I'd like to make it so this modular input causes Splunk to extract the key-value pairs from the data as it's indexed.

Is this possible? Or should I be attempting this in another way?

Thanks
Eddie

skalliger · ‎03-12-2019

Either you use INDEXED_EXTRACTIONS or KV_MODE, but not both. Set KV_MODE = none on your Search Head's props.conf if you really want to have indexed fields.

Skalli

chrisyounger · ‎03-11-2019

Both of these attempts should be correct to extract keys. I recommend KV_MODE = json becuase Splunk's strength is that its a search-time platform. If its doing the nice formatting, then that means its valid JSON. Might be worth using btool to check the sourcetype is definitely KV_MODE = json

chrisyounger · ‎03-11-2019

Also make sure you aren't in fast mode.

How to extract keys and values from the JSON data from data received from the Modular Input?

There's No Place Like Chrome and the Splunk Platform

The Great Resilience Quest: 5th Leaderboard Update

Devesh Logendran, Splunk, and the Singapore Cyber Conquest