Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Json format is not getting indexed

htsvaggar
New Member
‎02-25-2015 11:45 AM

Hi,

I am trying to analyze the json file for some reason it is not getting indexed.
Here is a sample json file
[
{
"FIELD1":"CNE",
"FIELD2":"cleanAndEnrich._130rfmtBR_StdAddrEnrch",
"FIELD3":"REC_READ",
"FIELD4":"",
"FIELD5":"",
"FIELD6":"5",
"FIELD7":""
},
{
"FIELD1":"CNE",
"FIELD2":"CNE",
"FIELD3":"REC_READ",
"FIELD4":"POLICY",
"FIELD5":"RA",
"FIELD6":"0",
"FIELD7":""
}
]

Here is my props.conf and input.conf

[monitor:///opt/test/data/json_log/*.json]
host = localhost
source = jsonlog
sourcetype = zajsonlog

[root@sandbox local]# tail -10 props.conf
[source::/opt/test/data/json_log/*.json]
sourcetype = zajsonlog

[zajsonlog]
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = datetime
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z
INDEXED_EXTRACTIONS = json
KV_MODE = none

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎02-25-2015 03:39 PM

Is it "not getting indexed," or is it "not getting indexed properly?"

Another thing I'm not sure of is your JSON format. As I recall JSON data doesn't have enclosing square brackets ([]). It should only have curly braces ({}) for enclosing the data. If it doesn't conform to JSON standards, it will not index it properly. You should set:

KV_MODE = json
SHOULD_LINEMERGE = true

and then it will properly index it as JSON data.

I also agree with ssievert that you should have a timestamp in the JSON if you can.

0 Karma
Reply

htsvaggar
New Member
‎02-27-2015 01:23 PM

Thanks,

Now I am getting different issue with json. transaction is repeating twice for every record in UI.

Is it UI issue or I am doing something wrong. Here is the sample display from the event. If you see Description attribute is repeating twice in the bottom. 

{
                  "Id":"7097",
                  "ComponentTypeName":"Metcon",
                  "OwnershipLevelName":"Global",
                  "UserName":null,
                  "Name":"Fran",
                  "Description":"21-15-9 \nThrusters, 95# / 65# \nPull-ups",
                  "IsBenchmark":"True",
                  "HasBeenSaved":"True",
                  "IsNewComponentEmailSent":"False",
                  "AllowRxPlus":"False",
                  "Rounds":"0",
                  "Comments":null,
                  "RepScheme":null,
                  "PerformanceResultTypeName":"Time"
               }
Show syntax highlighted
Collapse
Description = 21-15-9 Thrusters, 95# / 65# Pull-ups Description = 21-15-9 Thrusters, 95# / 65# Pull-ups Id = 7097 Id = 7097 Name = Fran Name = Fran

Thanks
Sanjeev

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎02-27-2015 01:56 PM

Can you supply an image screenshot of the results? That will be easier to figure out what is there.

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎02-25-2015 01:15 PM

I think we need a bit more detail. There is no datetime field in your sample data. You don't really need your [source::] stanza if you already set the sourcetype in inputs.conf (which is hopefully what your file is called instead of input.conf).

I'd recommend taking a look at splunkd.log for hints as to why the file is not being picked up.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...