Solved: JSON logs are being indexed in Splunk, but why are...

anthonycopus · ‎11-25-2015

I have some simple, correctly designed, JSON logs being sent to Splunk.

However, Splunk is not automatically parsing the fields unless I add | spath to the search. What configuration do I need to change so I could simply do:

index=main event_name=demo

instead of

 index=main | spath | event_name=demo

Thanks!

jplumsdaine22 · ‎11-25-2015

Have you got KV_MODE=json in your props.conf for that sourcetype?

See http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Propsconf

View solution in original post

jplumsdaine22 · ‎11-25-2015

Have you got KV_MODE=json in your props.conf for that sourcetype?

See http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Propsconf

anthonycopus · ‎12-04-2015

Thanks, exactly what I needed!

JSON logs are being indexed in Splunk, but why are fields not parsed automatically unless I use the spath command in a search?

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability for AI

Are you a member of the Splunk Community?

JSON logs are being indexed in Splunk, but why are fields not parsed automatically unless I use the spath command in a search?

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability for AI