Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Indexing JSON data

monteirolopes
Communicator
‎05-29-2017 05:46 AM

Hi,

I created a sourcetype (props.conf) to parse my json files. A local input (index once) was created only to test the props.conf and it works fine!
When I tried to create a continuously monitor file the events didn't appear in Splunk. I tried to monitor the entire folder (*.json) and a specific json file.
Has anyone had something similar?

follow my props.conf

[json_mention]
TRUNCATE = 0
BREAK_ONLY_BEFORE_DATE = false
SHOULD_LINEMERGE = false
LINE_BREAKER = ({\s+"location":)
MUST_BREAK_AFTER = {\s+"location":
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TIME_PREFIX=({\s+"collected_at":\s+")
MAX_TIMESTAMP_LOOKAHEAD=20

Best regards,

0 Karma
Reply

woodcock
Esteemed Legend
‎06-01-2017 06:35 AM

I agree with what @aakwah wrote but a bad props.conf file is not going to stop data from coming in (although it may come in "wrong"). We need to see your inputs.conf file. When you make changes to input.conf, you must restart the forwarder's splunk instance.

0 Karma
Reply

aakwah
Builder
‎05-29-2017 06:12 AM

Hello,

For json objects extraction you can make use of INDEXED_EXTRACTIONS, the following stanza should work fine.

 [json_mention]
 INDEXED_EXTRACTIONS = json
 KV_MODE = none
 LEARN_MODEL = false
 TRUNCATE = 0
 category = Structured
 description = JavaScript Object Notation format.

Please note that INDEXED_EXTRACTIONS should be applied at input time, when data is first read by Splunk.

Check props.conf doc for more details:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Admin/Propsconf

Regards

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...