Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why is Splunk not parsing JSON data correctly with my current sourcetype configuration?

rusty009
Path Finder
‎04-04-2016 03:59 AM

I am trying to import JSON objects into splunk, my sourcetype is below,

[ _json_cloudflare ]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=json
KV_MODE=none
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TIMESTAMP_FIELDS=timestamp
TIME_FORMAT=%s%9N
TIME_PREFIX=^
category=Structured
description=JSON cloudflare
disabled=false
pulldown_type=true

This works flawlessly on the search head, but when I index the data, it goes into Splunk like below,

alt text

The sourcetype is on both the universal forwarder & the indexer, any ideas what is wrong?

Preview file
18 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Yorokobi
SplunkTrust
SplunkTrust
‎04-04-2016 08:30 AM

JSON is a wonderful data structure that Splunk handles beautifully so long as it is 100% JSON and Splunk is properly informed about it.

So, a few things I would do:

  1. Don't use a _ to prefix your sourcetype names. I know, Splunk does that in the UI but I'm of the opinion _names should only be used for internal-to-Splunk data types, field names, etc.
  2. Remove the spaces inside the stanza declaration: [good_stanza] vs. [ bad_stanza ]

  3. Place only the relevant bits of the props.conf where they matter.

    props.conf on the universal forwarder and search head:

    [json_sourcetype]
    INDEXED_EXTRACTIONS = JSON

    props.conf on the indexer(s):

    [json_sourcetype]
    TIME_PREFIX = timestamp:
    TIME_FORMAT = %s%3N
    MAX_TIMESTAMP_LOOKAHEAD = 15

I removed TIMESTAMP_FIELDS in favour of TIME_PREFIX so that time extraction will work in the event field extractions fail.

View solution in original post

Reply
Solved! Jump to solution

cyndiback
Path Finder
‎10-16-2016 04:36 PM

How are you bringing in CloudFlare logs?

0 Karma
Reply
Solved! Jump to solution
Solution

Yorokobi
SplunkTrust
SplunkTrust
‎04-04-2016 08:30 AM

JSON is a wonderful data structure that Splunk handles beautifully so long as it is 100% JSON and Splunk is properly informed about it.

So, a few things I would do:

  1. Don't use a _ to prefix your sourcetype names. I know, Splunk does that in the UI but I'm of the opinion _names should only be used for internal-to-Splunk data types, field names, etc.
  2. Remove the spaces inside the stanza declaration: [good_stanza] vs. [ bad_stanza ]

  3. Place only the relevant bits of the props.conf where they matter.

    props.conf on the universal forwarder and search head:

    [json_sourcetype]
    INDEXED_EXTRACTIONS = JSON

    props.conf on the indexer(s):

    [json_sourcetype]
    TIME_PREFIX = timestamp:
    TIME_FORMAT = %s%3N
    MAX_TIMESTAMP_LOOKAHEAD = 15

I removed TIMESTAMP_FIELDS in favour of TIME_PREFIX so that time extraction will work in the event field extractions fail.

Reply
Solved! Jump to solution

rusty009
Path Finder
‎04-04-2016 08:33 AM

Thanks, that worked !

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-04-2016 08:22 AM

I don't see any issues here. The JSON parser of Splunk Web shows the JSON syntax highlighted, and that means the indexed data is correctly parsed as JSON.

If you want to see the actual raw data without highlighting, click on the "Show as raw text" hyperlink below the event.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...