Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Indexing JSON data

monteirolopes
Communicator
‎05-29-2017 05:46 AM

Hi,

I created a sourcetype (props.conf) to parse my json files. A local input (index once) was created only to test the props.conf and it works fine!
When I tried to create a continuously monitor file the events didn't appear in Splunk. I tried to monitor the entire folder (*.json) and a specific json file.
Has anyone had something similar?

follow my props.conf

[json_mention]
TRUNCATE = 0
BREAK_ONLY_BEFORE_DATE = false
SHOULD_LINEMERGE = false
LINE_BREAKER = ({\s+"location":)
MUST_BREAK_AFTER = {\s+"location":
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TIME_PREFIX=({\s+"collected_at":\s+")
MAX_TIMESTAMP_LOOKAHEAD=20

Best regards,

0 Karma
Reply

woodcock
Esteemed Legend
‎06-01-2017 06:35 AM

I agree with what @aakwah wrote but a bad props.conf file is not going to stop data from coming in (although it may come in "wrong"). We need to see your inputs.conf file. When you make changes to input.conf, you must restart the forwarder's splunk instance.

0 Karma
Reply

aakwah
Builder
‎05-29-2017 06:12 AM

Hello,

For json objects extraction you can make use of INDEXED_EXTRACTIONS, the following stanza should work fine.

 [json_mention]
 INDEXED_EXTRACTIONS = json
 KV_MODE = none
 LEARN_MODEL = false
 TRUNCATE = 0
 category = Structured
 description = JavaScript Object Notation format.

Please note that INDEXED_EXTRACTIONS should be applied at input time, when data is first read by Splunk.

Check props.conf doc for more details:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Admin/Propsconf

Regards

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...