Getting Data In

JSON Import Into Splunk with Nested Fields

cgalligan
Explorer

I'm trying to import some JSON with nested field using the "Add Data" function, but I can't quite get the regex/ parsing correct. I want to pull everything in the "source" section.

The JSON events look like:

{
        "_index": "INDEX",
        "_type": "EVENT TYPE",
        "_id": "EVENTID",
        "_score": #,
        "_source": {
          "resp_pkts": #,
          "type": "TYPE",
          "id_orig_p": PORT,
          "duration": DURATION,
           "proto": "PROTOCOL",
          "received_timestamp": TIMESTAMP IN EPOCH,
          "ts": LOG TIMESTAMP
        }
      },

I have the following set in the props.conf
CHARSET UTF8
DATETIME_CONFIG CURRENT
SHOULD_LINEMERGE true
NO_BINARY_CHECK true
BREAK_ONLY_BEFORE "_source:{"
disabled false
KV_MODE json

0 Karma

alpsholic
Explorer

I faced the same issue. The problem is with the "_source" key in the input json. Replace it with something like "data". Then Splunk recognizes all fields.,I have the same problem. The issue is with key "_source" in the input json. Replace it with some else for example: "data". Then you see all the fields inside data subjson.

0 Karma

ansif
Motivator

Can you post the whole json?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...