Parsing JSON syslog data - additional fields extra...

seshagirik545 · ‎07-07-2019

Hi All,

need help in parsing below JSON message.

{ "MsgDesc": "1229340728.000000:iso.3.6.1.4.1.9.9.96.1.1.1.1.2.567777 = INTEGER: 1 iso.3.6.1.4.1.9.9.96.1.1.1.1.3.345455 = INTEGER: 3 iso.3.6.1.4.1.9.9.96.1.1.1.1.4.345435 = INTEGER: 1 iso.3.6.1.4.1.9.9.96.1.1.1.1.5.111249171 = IpAddress: 192.168.1.100 iso.3.6.1.4.1.9.9.", "MsgType": "SNMPD-3-ERROR", "Severity": 3}

props for this sourcetype are in HF ( Splunk version 7.3.0 😞

pulldown_type = true
category = Structured
KV_MODE = none
AUTO_KV_JSON = false
INDEXED_EXTRACTIONS= json
SHOULD_LINEMERGE = false

The problem is along with the MsgDesc, MsgType & Severity, Splunk extracting iso.3.6.1.4.1.9.9.96.1.1.1.1.2.567777, iso.3.6.1.4.1.9.9.96.1.1.1.1.3.345455 also. from the MsgDesc value. I dont want these extra fields. Is there a way solve this?

Thanks,
Seshu

jkat54 · ‎07-07-2019

That's because splunk is also auto extracting the Key value Pairs (this=that), most likely because you are in verbose mode while searching. Your KV_MODE=none should fix that but it has to be set on your search heads not the forwarder.

Also INDEXED_EXTRACTIONS=JSON should be all uppercase and it should be on the first forwarder that "sees" the data (UF or HF).

Parsing JSON syslog data - additional fields extraction happening.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation