Read only the JSON section of each line in a monit...

jeffbat · ‎06-14-2021

I am working on seeing if there is a better way that I can consume the data I have from an Azure Blob storage.

I am using the Splunk Addon for Microsoft Cloud Services; which is allowing me to grab the file from the Blob storage.

Now the file itself is actually a CSV; but the app does not recognize CSV to split up the data so I had to create a props.conf and transforms.conf which does allow me to get the data in and into fields. But it turns out that the CSV fields has 1 field in it that is the rawMessage and it is actually a JSON of all the field data (and sometimes will contain a field which is not broken into a column of the CSV.

For now I am bringing all of the data in and separated into fields and then at search time doing a spath on the rawMessage field to get the other fields that only sometimes appear.

What I would like to do is instead of all of the data being brought in; I want to only bring in the rawMessage field (which is JSON) and have that indexed as it has all of the data/fields.

What is the best way to write the inputs/props/transforms to only read that field in and then parse it as a JSON so it will do the autobreakdown for fields?

Any help with this would be greatly appreciated.

Read only the JSON section of each line in a monitored file

field extraction

inputs.conf

props.conf

transforms.conf

universal forwarder

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?