Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

What are the requirements for a perfect Splunk JSON document?

ddrillic
Ultra Champion
‎01-30-2018 07:00 AM

Our Sales Engineer told us that the Splunk json parser requires several specific things in the json document, in order to be interpreted as json. What are they?

We would like to avoid hard-coded solutions such as How do we assign each JSON document to a distinct event?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎01-30-2018 07:09 AM

Why not just apply base configs to your JSON file and have it break correctly rather than trying to format the log to Splunk?

If you let Splunk try to figure out the linebreaking, it will add additional overhead to your indexing and slow it down.

Adding this will give you correct linebreaking and timestamping along with avoiding the merging pipeline which increases your indexing speed 

[sourcetype]
TIME_PREFIX = 
TIME_FORMAT = 
LINE_BREAKER = 
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 
TRUNCATE =

https://wiki.splunk.com/Community:HowIndexingWorks

View solution in original post

Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎01-30-2018 07:09 AM

Why not just apply base configs to your JSON file and have it break correctly rather than trying to format the log to Splunk?

If you let Splunk try to figure out the linebreaking, it will add additional overhead to your indexing and slow it down.

Adding this will give you correct linebreaking and timestamping along with avoiding the merging pipeline which increases your indexing speed 

[sourcetype]
TIME_PREFIX = 
TIME_FORMAT = 
LINE_BREAKER = 
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 
TRUNCATE =

https://wiki.splunk.com/Community:HowIndexingWorks

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎01-30-2018 07:44 AM

@skoelpin, good question.

We have teams that can form their json logs per the Splunk's needs. So, we are lucky in this sense.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎01-30-2018 08:43 AM

We were told by the Sales Engineer that as long as it's proper JSON, all we need to do is set -

INDEXED_EXTRACTIONS = json
category = Structured

in props.conf.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎03-15-2018 06:19 PM

For the record, the predefined _json sourcetype has these two defined config variables -

 INDEXED_EXTRACTIONS = json
 category = Structured
0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-01-2018 04:21 PM

This solution works!!!

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-30-2018 08:48 AM

Your sales engineer is partially right, but you should ALWAYS apply base configs to lessen the indexer load when indexing data. This is a big part of the SCC2 bootcamp

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎01-30-2018 08:56 AM

Much appreciated @skoelpin.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...