Hi,
I am trying to analyze the json file for some reason it is not getting indexed.
Here is a sample json file
[
{
"FIELD1":"CNE",
"FIELD2":"cleanAndEnrich._130rfmtBR_StdAddrEnrch",
"FIELD3":"REC_READ",
"FIELD4":"",
"FIELD5":"",
"FIELD6":"5",
"FIELD7":""
},
{
"FIELD1":"CNE",
"FIELD2":"CNE",
"FIELD3":"REC_READ",
"FIELD4":"POLICY",
"FIELD5":"RA",
"FIELD6":"0",
"FIELD7":""
}
]
Here is my props.conf and input.conf
[monitor:///opt/test/data/json_log/*.json]
host = localhost
source = jsonlog
sourcetype = zajsonlog
[root@sandbox local]# tail -10 props.conf
[source::/opt/test/data/json_log/*.json]
sourcetype = zajsonlog
[zajsonlog]
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = datetime
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z
INDEXED_EXTRACTIONS = json
KV_MODE = none
Is it "not getting indexed," or is it "not getting indexed properly?"
Another thing I'm not sure of is your JSON format. As I recall JSON data doesn't have enclosing square brackets ([]). It should only have curly braces ({}) for enclosing the data. If it doesn't conform to JSON standards, it will not index it properly. You should set:
KV_MODE = json
SHOULD_LINEMERGE = true
and then it will properly index it as JSON data.
I also agree with ssievert that you should have a timestamp in the JSON if you can.
Thanks,
Now I am getting different issue with json. transaction is repeating twice for every record in UI.
Is it UI issue or I am doing something wrong. Here is the sample display from the event. If you see Description attribute is repeating twice in the bottom.
{
"Id":"7097",
"ComponentTypeName":"Metcon",
"OwnershipLevelName":"Global",
"UserName":null,
"Name":"Fran",
"Description":"21-15-9 \nThrusters, 95# / 65# \nPull-ups",
"IsBenchmark":"True",
"HasBeenSaved":"True",
"IsNewComponentEmailSent":"False",
"AllowRxPlus":"False",
"Rounds":"0",
"Comments":null,
"RepScheme":null,
"PerformanceResultTypeName":"Time"
}
Show syntax highlighted
Collapse
Description = 21-15-9 Thrusters, 95# / 65# Pull-ups Description = 21-15-9 Thrusters, 95# / 65# Pull-ups Id = 7097 Id = 7097 Name = Fran Name = Fran
Thanks
Sanjeev
Can you supply an image screenshot of the results? That will be easier to figure out what is there.
I think we need a bit more detail. There is no datetime field in your sample data. You don't really need your [source::] stanza if you already set the sourcetype in inputs.conf (which is hopefully what your file is called instead of input.conf).
I'd recommend taking a look at splunkd.log for hints as to why the file is not being picked up.