Getting Data In
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write parsing configuration for json file?

vin02ptl
Explorer
‎11-03-2019 02:15 AM

My log contains multiple {} data structure and i want to get all json field inside extracted field in splunk . How to parse?

{ [-]
service: [ [-]
{ [-]
name: xxxxx

id: xxx
}

]

Filename: xxx

dest: xxx

created_at: xxxx
destination_port: null

source: xxx

username: zxx
}

0 Karma
Reply

arjunpkishore5
Motivator
‎11-03-2019 09:47 AM

props.conf with KV_MODE set to JSON should do the trick for you

Documentation on props.conf here - https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

0 Karma
Reply

vin02ptl
Explorer
‎11-03-2019 09:54 AM

i have tried, but fields are not reflecting under interesting field

0 Karma
Reply

arjunpkishore5
Motivator
‎11-03-2019 10:00 AM

what are the fields showing up in Interesting fields ?

0 Karma
Reply

vin02ptl
Explorer
‎11-03-2019 10:02 AM

Filename: xxx
dest: xxx
created_at: xxxx
destination_port: null
source: xxx
username: zxx

above fields are not populating and time and date field which i have added those only populating

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top