Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Indexing JSON data

monteirolopes
Communicator
‎05-29-2017 05:46 AM

Hi,

I created a sourcetype (props.conf) to parse my json files. A local input (index once) was created only to test the props.conf and it works fine!
When I tried to create a continuously monitor file the events didn't appear in Splunk. I tried to monitor the entire folder (*.json) and a specific json file.
Has anyone had something similar?

follow my props.conf

[json_mention]
TRUNCATE = 0
BREAK_ONLY_BEFORE_DATE = false
SHOULD_LINEMERGE = false
LINE_BREAKER = ({\s+"location":)
MUST_BREAK_AFTER = {\s+"location":
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TIME_PREFIX=({\s+"collected_at":\s+")
MAX_TIMESTAMP_LOOKAHEAD=20

Best regards,

0 Karma
Reply

woodcock
Esteemed Legend
‎06-01-2017 06:35 AM

I agree with what @aakwah wrote but a bad props.conf file is not going to stop data from coming in (although it may come in "wrong"). We need to see your inputs.conf file. When you make changes to input.conf, you must restart the forwarder's splunk instance.

0 Karma
Reply

aakwah
Builder
‎05-29-2017 06:12 AM

Hello,

For json objects extraction you can make use of INDEXED_EXTRACTIONS, the following stanza should work fine.

 [json_mention]
 INDEXED_EXTRACTIONS = json
 KV_MODE = none
 LEARN_MODEL = false
 TRUNCATE = 0
 category = Structured
 description = JavaScript Object Notation format.

Please note that INDEXED_EXTRACTIONS should be applied at input time, when data is first read by Splunk.

Check props.conf doc for more details:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Admin/Propsconf

Regards

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...