I am trying to import JSON objects into splunk, my sourcetype is below,
[ _json_cloudflare ] CHARSET=UTF-8 INDEXED_EXTRACTIONS=json KV_MODE=none NO_BINARY_CHECK=true SHOULD_LINEMERGE=true TIMESTAMP_FIELDS=timestamp TIME_FORMAT=%s%9N TIME_PREFIX=^ category=Structured description=JSON cloudflare disabled=false pulldown_type=true
This works flawlessly on the search head, but when I index the data, it goes into Splunk like below,
The sourcetype is on both the universal forwarder & the indexer, any ideas what is wrong?
I don't see any issues here. The JSON parser of Splunk Web shows the JSON syntax highlighted, and that means the indexed data is correctly parsed as JSON.
If you want to see the actual raw data without highlighting, click on the "Show as raw text" hyperlink below the event.
JSON is a wonderful data structure that Splunk handles beautifully so long as it is 100% JSON and Splunk is properly informed about it.
So, a few things I would do:
Place only the relevant bits of the props.conf where they matter.
props.conf on the universal forwarder and search head:
INDEXEDEXTRACTIONS = JSON
props.conf on the indexer(s):
TIMEPREFIX = timestamp:
TIMEFORMAT = %s%3N
MAXTIMESTAMP_LOOKAHEAD = 15
I removed TIMESTAMPFIELDS in favour of TIMEPREFIX so that time extraction will work in the event field extractions fail.