Solved: JSON logs are being indexed in Splunk, but why are...

anthonycopus · ‎11-25-2015

I have some simple, correctly designed, JSON logs being sent to Splunk.

However, Splunk is not automatically parsing the fields unless I add | spath to the search. What configuration do I need to change so I could simply do:

index=main event_name=demo

instead of

 index=main | spath | event_name=demo

Thanks!

jplumsdaine22 · ‎11-25-2015

Have you got KV_MODE=json in your props.conf for that sourcetype?

See http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Propsconf

View solution in original post

jplumsdaine22 · ‎11-25-2015

Have you got KV_MODE=json in your props.conf for that sourcetype?

See http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Propsconf

anthonycopus · ‎12-04-2015

Thanks, exactly what I needed!

JSON logs are being indexed in Splunk, but why are fields not parsed automatically unless I use the spath command in a search?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

JSON logs are being indexed in Splunk, but why are fields not parsed automatically unless I use the spath command in a search?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...