Solved: JSON logs are being indexed in Splunk, but why are...

anthonycopus · ‎11-25-2015

I have some simple, correctly designed, JSON logs being sent to Splunk.

However, Splunk is not automatically parsing the fields unless I add | spath to the search. What configuration do I need to change so I could simply do:

index=main event_name=demo

instead of

 index=main | spath | event_name=demo

Thanks!

jplumsdaine22 · ‎11-25-2015

Have you got KV_MODE=json in your props.conf for that sourcetype?

See http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Propsconf

View solution in original post

jplumsdaine22 · ‎11-25-2015

Have you got KV_MODE=json in your props.conf for that sourcetype?

See http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Propsconf

anthonycopus · ‎12-04-2015

Thanks, exactly what I needed!

JSON logs are being indexed in Splunk, but why are fields not parsed automatically unless I use the spath command in a search?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation