Getting Data In

Json format is not getting indexed

New Member

Hi,

I am trying to analyze the json file for some reason it is not getting indexed.
Here is a sample json file
[
{
"FIELD1":"CNE",
"FIELD2":"cleanAndEnrich._130rfmtBR_StdAddrEnrch",
"FIELD3":"REC_READ",
"FIELD4":"",
"FIELD5":"",
"FIELD6":"5",
"FIELD7":""
},
{
"FIELD1":"CNE",
"FIELD2":"CNE",
"FIELD3":"REC_READ",
"FIELD4":"POLICY",
"FIELD5":"RA",
"FIELD6":"0",
"FIELD7":""
}
]

Here is my props.conf and input.conf

[monitor:///opt/test/data/json_log/*.json]
host = localhost
source = jsonlog
sourcetype = zajsonlog

[root@sandbox local]# tail -10 props.conf
[source::/opt/test/data/json_log/*.json]
sourcetype = zajsonlog

[zajsonlog]
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = datetime
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z
INDEXED_EXTRACTIONS = json
KV_MODE = none

0 Karma

SplunkTrust
SplunkTrust

Is it "not getting indexed," or is it "not getting indexed properly?"

Another thing I'm not sure of is your JSON format. As I recall JSON data doesn't have enclosing square brackets ([]). It should only have curly braces ({}) for enclosing the data. If it doesn't conform to JSON standards, it will not index it properly. You should set:

KV_MODE = json
SHOULD_LINEMERGE = true

and then it will properly index it as JSON data.

I also agree with ssievert that you should have a timestamp in the JSON if you can.

0 Karma

New Member

Thanks,

Now I am getting different issue with json. transaction is repeating twice for every record in UI.

Is it UI issue or I am doing something wrong. Here is the sample display from the event. If you see Description attribute is repeating twice in the bottom.

{
                  "Id":"7097",
                  "ComponentTypeName":"Metcon",
                  "OwnershipLevelName":"Global",
                  "UserName":null,
                  "Name":"Fran",
                  "Description":"21-15-9 \nThrusters, 95# / 65# \nPull-ups",
                  "IsBenchmark":"True",
                  "HasBeenSaved":"True",
                  "IsNewComponentEmailSent":"False",
                  "AllowRxPlus":"False",
                  "Rounds":"0",
                  "Comments":null,
                  "RepScheme":null,
                  "PerformanceResultTypeName":"Time"
               }
Show syntax highlighted
Collapse
Description = 21-15-9 Thrusters, 95# / 65# Pull-ups Description = 21-15-9 Thrusters, 95# / 65# Pull-ups Id = 7097 Id = 7097 Name = Fran Name = Fran

Thanks
Sanjeev

0 Karma

SplunkTrust
SplunkTrust

Can you supply an image screenshot of the results? That will be easier to figure out what is there.

0 Karma

Splunk Employee
Splunk Employee

I think we need a bit more detail. There is no datetime field in your sample data. You don't really need your [source::] stanza if you already set the sourcetype in inputs.conf (which is hopefully what your file is called instead of input.conf).

I'd recommend taking a look at splunkd.log for hints as to why the file is not being picked up.

0 Karma