Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are the requirements for a perfect Splunk JSON document?

ddrillic
Ultra Champion
‎01-30-2018 07:00 AM

Our Sales Engineer told us that the Splunk json parser requires several specific things in the json document, in order to be interpreted as json. What are they?

We would like to avoid hard-coded solutions such as How do we assign each JSON document to a distinct event?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎01-30-2018 07:09 AM

Why not just apply base configs to your JSON file and have it break correctly rather than trying to format the log to Splunk?

If you let Splunk try to figure out the linebreaking, it will add additional overhead to your indexing and slow it down.

Adding this will give you correct linebreaking and timestamping along with avoiding the merging pipeline which increases your indexing speed 

[sourcetype]
TIME_PREFIX = 
TIME_FORMAT = 
LINE_BREAKER = 
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 
TRUNCATE =

https://wiki.splunk.com/Community:HowIndexingWorks

View solution in original post

Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎01-30-2018 07:09 AM

Why not just apply base configs to your JSON file and have it break correctly rather than trying to format the log to Splunk?

If you let Splunk try to figure out the linebreaking, it will add additional overhead to your indexing and slow it down.

Adding this will give you correct linebreaking and timestamping along with avoiding the merging pipeline which increases your indexing speed 

[sourcetype]
TIME_PREFIX = 
TIME_FORMAT = 
LINE_BREAKER = 
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 
TRUNCATE =

https://wiki.splunk.com/Community:HowIndexingWorks

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎01-30-2018 07:44 AM

@skoelpin, good question.

We have teams that can form their json logs per the Splunk's needs. So, we are lucky in this sense.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎01-30-2018 08:43 AM

We were told by the Sales Engineer that as long as it's proper JSON, all we need to do is set -

INDEXED_EXTRACTIONS = json
category = Structured

in props.conf.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎03-15-2018 06:19 PM

For the record, the predefined _json sourcetype has these two defined config variables -

 INDEXED_EXTRACTIONS = json
 category = Structured
0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-01-2018 04:21 PM

This solution works!!!

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-30-2018 08:48 AM

Your sales engineer is partially right, but you should ALWAYS apply base configs to lessen the indexer load when indexing data. This is a big part of the SCC2 bootcamp

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎01-30-2018 08:56 AM

Much appreciated @skoelpin.

Reply
Get Updates on the Splunk Community!

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...