Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

com.splunk.Index.submit() with a JSON is not recognized in Splunk as Type Event parameters

krienstra
Engager
‎07-12-2021 02:28 AM

I have successfully implemented the Splunk Java SDK to write my own .class and implement the code within programs we run on several machines to send and retrieve data. I am able to retrieve search results as a List of <Event> or submit data to the index.

However, Splunk does not format my submitted data to the main index when presented as JSON. 

If I run the following code, the JSON is somehow formatted in the Splunk interface as a JSON with it's red/green formatting HOWEVER the data is not formatted through Type Event and therefore I can not search data based on an "application=test" String:

 

Index myIndex = service.getIndexes().get("main");
eventArgs.put("sourcetype", "_json");
String input = "{\"account\": \"test\",\"password\": \"Welkom\",\"hostname\": \"DESKTOP-KENNETH\",\"application\": \"test\"}";
myIndex.submit(eventArgs, input);

 

How do I need to submit a JSON where Splunk will recognize this as a Type Event with it's corresponding key/value pairs?

This search will not retrieve the submitted JSON:

 

index=main application="test"

 

Type Event now has only one key/value pair: "timestamp: none".

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-12-2021 04:54 AM

@krienstra 

Here, I suggest not to use _json sourcetype and clone it and use.

Or create below configurations in props.conf and send data to this sourcetype.

[m_json]
KV_MODE = json

 

Screenshot 2021-07-12 at 5.23.41 PM.png

 

I hope this will help you.

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-12-2021 03:12 AM

@krienstra 

I think your code should work.

I have tried this and worked fine. Can you please try this?

 

import com.splunk.*;

public class App {
    public static void main(String[] args) throws Exception {
        HttpService.setSslSecurityProtocol(SSLSecurityProtocol.TLSv1_2);

        // Create a map of arguments and add login parameters
        ServiceArgs loginArgs = new ServiceArgs();
        loginArgs.setUsername("admin");
        loginArgs.setPassword("admin123");
        loginArgs.setHost("localhost");
        loginArgs.setPort(8089);

        // Create a Service instance and log in with the argument map
        Service service = Service.connect(loginArgs);

        // Retrieve the index for the data
        Index myIndex = service.getIndexes().get("main");

        Args eventArgs = new Args();
        eventArgs.put("sourcetype", "_json");
        String input = "{\"account\": \"test\",\"password\": \"Welkom\",\"hostname\": \"DESKTOP-KENNETH\",\"application\": \"test\"}";
        myIndex.submit(eventArgs, input);

    }
}

 

Screenshot 2021-07-12 at 3.41.34 PM.png

 

 Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Solved! Jump to solution

krienstra
Engager
‎07-12-2021 03:30 AM

Hi Kamlesh,

Could you search for "application=test" instead of "sourcetype=_json"? I see there is a problem with adding a "sourcetype: _json" via Args(). 

This is when I submit(Args eventArgs, String data) - it does not set the Type Event key/value pairs:

krienstra_0-1626085619536.png

This is if I only submit(String data) - it picks up all the key/value pairs:

krienstra_1-1626085692264.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-12-2021 04:54 AM

@krienstra 

Here, I suggest not to use _json sourcetype and clone it and use.

Or create below configurations in props.conf and send data to this sourcetype.

[m_json]
KV_MODE = json

 

Screenshot 2021-07-12 at 5.23.41 PM.png

 

I hope this will help you.

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Solved! Jump to solution

krienstra
Engager
‎07-12-2021 05:40 AM

That's right, I'll skip the "_json" and use another sourcetype. It seems that "_json" is not giving me the right result, I can use any other sourcetype except this (not sure what exactly "_json" does as a sourcetype, but it's not working and I'll refrain from). 

"json" does seem to work, giving me the right Event Types key/value pairs:

krienstra_0-1626093392787.png

String input = "{\"account\": \"test\",\"password\": \"Welkom\",\"hostname\": \"DESKTOP-KENNETH\",\"application\": \"test\"}";
Args eventArgs = new Args();
eventArgs.put("sourcetype", "json");
handler.sendEvent(eventArgs, "main", input);

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...