JSON Import Into Splunk with Nested Fields

cgalligan · ‎05-17-2018

I'm trying to import some JSON with nested field using the "Add Data" function, but I can't quite get the regex/ parsing correct. I want to pull everything in the "source" section.

The JSON events look like:

{
        "_index": "INDEX",
        "_type": "EVENT TYPE",
        "_id": "EVENTID",
        "_score": #,
        "_source": {
          "resp_pkts": #,
          "type": "TYPE",
          "id_orig_p": PORT,
          "duration": DURATION,
           "proto": "PROTOCOL",
          "received_timestamp": TIMESTAMP IN EPOCH,
          "ts": LOG TIMESTAMP
        }
      },

I have the following set in the props.conf
CHARSET UTF8
DATETIME_CONFIG CURRENT
SHOULD_LINEMERGE true
NO_BINARY_CHECK true
BREAK_ONLY_BEFORE "_source:{"
disabled false
KV_MODE json

alpsholic · ‎01-09-2019

I faced the same issue. The problem is with the "_source" key in the input json. Replace it with something like "data". Then Splunk recognizes all fields.,I have the same problem. The issue is with key "_source" in the input json. Replace it with some else for example: "data". Then you see all the fields inside data subjson.

ansif · ‎06-11-2018

Can you post the whole json?

JSON Import Into Splunk with Nested Fields

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard

Join the Conversation

JSON Import Into Splunk with Nested Fields

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard