Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

com.splunk.Index.submit() with a JSON is not recognized in Splunk as Type Event parameters

krienstra
Engager
‎07-12-2021 02:28 AM

I have successfully implemented the Splunk Java SDK to write my own .class and implement the code within programs we run on several machines to send and retrieve data. I am able to retrieve search results as a List of <Event> or submit data to the index.

However, Splunk does not format my submitted data to the main index when presented as JSON. 

If I run the following code, the JSON is somehow formatted in the Splunk interface as a JSON with it's red/green formatting HOWEVER the data is not formatted through Type Event and therefore I can not search data based on an "application=test" String:

 

Index myIndex = service.getIndexes().get("main");
eventArgs.put("sourcetype", "_json");
String input = "{\"account\": \"test\",\"password\": \"Welkom\",\"hostname\": \"DESKTOP-KENNETH\",\"application\": \"test\"}";
myIndex.submit(eventArgs, input);

 

How do I need to submit a JSON where Splunk will recognize this as a Type Event with it's corresponding key/value pairs?

This search will not retrieve the submitted JSON:

 

index=main application="test"

 

Type Event now has only one key/value pair: "timestamp: none".

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-12-2021 04:54 AM

@krienstra 

Here, I suggest not to use _json sourcetype and clone it and use.

Or create below configurations in props.conf and send data to this sourcetype.

[m_json]
KV_MODE = json

 

Screenshot 2021-07-12 at 5.23.41 PM.png

 

I hope this will help you.

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-12-2021 03:12 AM

@krienstra 

I think your code should work.

I have tried this and worked fine. Can you please try this?

 

import com.splunk.*;

public class App {
    public static void main(String[] args) throws Exception {
        HttpService.setSslSecurityProtocol(SSLSecurityProtocol.TLSv1_2);

        // Create a map of arguments and add login parameters
        ServiceArgs loginArgs = new ServiceArgs();
        loginArgs.setUsername("admin");
        loginArgs.setPassword("admin123");
        loginArgs.setHost("localhost");
        loginArgs.setPort(8089);

        // Create a Service instance and log in with the argument map
        Service service = Service.connect(loginArgs);

        // Retrieve the index for the data
        Index myIndex = service.getIndexes().get("main");

        Args eventArgs = new Args();
        eventArgs.put("sourcetype", "_json");
        String input = "{\"account\": \"test\",\"password\": \"Welkom\",\"hostname\": \"DESKTOP-KENNETH\",\"application\": \"test\"}";
        myIndex.submit(eventArgs, input);

    }
}

 

Screenshot 2021-07-12 at 3.41.34 PM.png

 

 Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Solved! Jump to solution

krienstra
Engager
‎07-12-2021 03:30 AM

Hi Kamlesh,

Could you search for "application=test" instead of "sourcetype=_json"? I see there is a problem with adding a "sourcetype: _json" via Args(). 

This is when I submit(Args eventArgs, String data) - it does not set the Type Event key/value pairs:

krienstra_0-1626085619536.png

This is if I only submit(String data) - it picks up all the key/value pairs:

krienstra_1-1626085692264.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-12-2021 04:54 AM

@krienstra 

Here, I suggest not to use _json sourcetype and clone it and use.

Or create below configurations in props.conf and send data to this sourcetype.

[m_json]
KV_MODE = json

 

Screenshot 2021-07-12 at 5.23.41 PM.png

 

I hope this will help you.

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Solved! Jump to solution

krienstra
Engager
‎07-12-2021 05:40 AM

That's right, I'll skip the "_json" and use another sourcetype. It seems that "_json" is not giving me the right result, I can use any other sourcetype except this (not sure what exactly "_json" does as a sourcetype, but it's not working and I'll refrain from). 

"json" does seem to work, giving me the right Event Types key/value pairs:

krienstra_0-1626093392787.png

String input = "{\"account\": \"test\",\"password\": \"Welkom\",\"hostname\": \"DESKTOP-KENNETH\",\"application\": \"test\"}";
Args eventArgs = new Args();
eventArgs.put("sourcetype", "json");
handler.sendEvent(eventArgs, "main", input);

 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...