JSON Import Into Splunk with Nested Fields

cgalligan · ‎05-17-2018

I'm trying to import some JSON with nested field using the "Add Data" function, but I can't quite get the regex/ parsing correct. I want to pull everything in the "source" section.

The JSON events look like:

{
        "_index": "INDEX",
        "_type": "EVENT TYPE",
        "_id": "EVENTID",
        "_score": #,
        "_source": {
          "resp_pkts": #,
          "type": "TYPE",
          "id_orig_p": PORT,
          "duration": DURATION,
           "proto": "PROTOCOL",
          "received_timestamp": TIMESTAMP IN EPOCH,
          "ts": LOG TIMESTAMP
        }
      },

I have the following set in the props.conf
CHARSET UTF8
DATETIME_CONFIG CURRENT
SHOULD_LINEMERGE true
NO_BINARY_CHECK true
BREAK_ONLY_BEFORE "_source:{"
disabled false
KV_MODE json

alpsholic · ‎01-09-2019

I faced the same issue. The problem is with the "_source" key in the input json. Replace it with something like "data". Then Splunk recognizes all fields.,I have the same problem. The issue is with key "_source" in the input json. Replace it with some else for example: "data". Then you see all the fields inside data subjson.

ansif · ‎06-11-2018

Can you post the whole json?

JSON Import Into Splunk with Nested Fields

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms