Getting Data In

Indexing JSON data

monteirolopes
Communicator

Hi,

I created a sourcetype (props.conf) to parse my json files. A local input (index once) was created only to test the props.conf and it works fine!
When I tried to create a continuously monitor file the events didn't appear in Splunk. I tried to monitor the entire folder (*.json) and a specific json file.
Has anyone had something similar?

follow my props.conf

[json_mention]
TRUNCATE = 0
BREAK_ONLY_BEFORE_DATE = false
SHOULD_LINEMERGE = false
LINE_BREAKER = ({\s+"location":)
MUST_BREAK_AFTER = {\s+"location":
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TIME_PREFIX=({\s+"collected_at":\s+")
MAX_TIMESTAMP_LOOKAHEAD=20

Best regards,

0 Karma

woodcock
Esteemed Legend

I agree with what @aakwah wrote but a bad props.conf file is not going to stop data from coming in (although it may come in "wrong"). We need to see your inputs.conf file. When you make changes to input.conf, you must restart the forwarder's splunk instance.

0 Karma

aakwah
Builder

Hello,

For json objects extraction you can make use of INDEXED_EXTRACTIONS, the following stanza should work fine.

 [json_mention]
 INDEXED_EXTRACTIONS = json
 KV_MODE = none
 LEARN_MODEL = false
 TRUNCATE = 0
 category = Structured
 description = JavaScript Object Notation format.

Please note that INDEXED_EXTRACTIONS should be applied at input time, when data is first read by Splunk.

Check props.conf doc for more details:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Admin/Propsconf

Regards

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!