Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the host value from INDEXED_EXTRACTIONS = json

Brett
SplunkTrust
SplunkTrust
‎12-05-2021 08:59 PM

How can I get the "host" value extracted from a JSON event with "INDEXED_EXTRACTIONS = json" into the events host field?

By default, this value ends up in the extracted_host value, and the following INGEST_EVAL does not work:

INGEST_EVAL = host:=extracted_host, extracted_host:=null() 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Brett
SplunkTrust
SplunkTrust
‎12-05-2021 09:00 PM

Answered this question myself.

The "extracted_host" is actually still "host" in the _meta key, so the solution is to force Splunk to read the _meta key for its value.

INGEST_EVAL = host:=$field:host$, $field:host$:=null()

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Brett
SplunkTrust
SplunkTrust
‎12-05-2021 09:00 PM

Answered this question myself.

The "extracted_host" is actually still "host" in the _meta key, so the solution is to force Splunk to read the _meta key for its value.

INGEST_EVAL = host:=$field:host$, $field:host$:=null()
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...