Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

detected_host, detected_timestamp, etc. with JSON file source

yuanliu
SplunkTrust
SplunkTrust
‎06-14-2021 09:41 AM

If I upload a file containing JSON records or monitor such a file/scripted input, a field named host becomes "detected_host", timestamp becomes "detected_timestamp", etc.  Is there some way to persuade indexer to accept these fields as host, _time, etc.?

I am looking at a number of such sources all with varying field names for these.  So, I hope by renaming/setting corresponding commonly used fields I could just use the default _json sourcetype without resorting to search time tricks.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-14-2021 05:54 PM

Hi @yuanliu 

Splunk doesn't prefix the fieldnames as detected* this could be some pre-existing settings at search/index time  modifying host, timestamp fields. Let's continue...to solution

To answers your query, for timestamp field use props.conf - TIME_PREFIX, TIME_FORMAT variables to consider as _time by Splunk. Should be deployed to HF/indexer.

host field in your json can be assigned to host default field using both props.conf, transforms.conf.

 

##This is just example of host override, should be deployed to HF/indexer. #works for any input type UF/scripted input

#props.conf
[your_json_sourcetype/host::<hostname>/source::<your_source>]
TRANSFORMS-host = hostoverride

#Transforms.conf Override host: , REGEX should match your host in json payload
[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \s(\w*)$
FORMAT = host::$1

 

 

---

An upvote would be appreciated if it helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-14-2021 05:54 PM

Hi @yuanliu 

Splunk doesn't prefix the fieldnames as detected* this could be some pre-existing settings at search/index time  modifying host, timestamp fields. Let's continue...to solution

To answers your query, for timestamp field use props.conf - TIME_PREFIX, TIME_FORMAT variables to consider as _time by Splunk. Should be deployed to HF/indexer.

host field in your json can be assigned to host default field using both props.conf, transforms.conf.

 

##This is just example of host override, should be deployed to HF/indexer. #works for any input type UF/scripted input

#props.conf
[your_json_sourcetype/host::<hostname>/source::<your_source>]
TRANSFORMS-host = hostoverride

#Transforms.conf Override host: , REGEX should match your host in json payload
[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \s(\w*)$
FORMAT = host::$1

 

 

---

An upvote would be appreciated if it helps!

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎06-16-2021 06:40 PM
Splunk doesn't prefix the fieldnames as detected* this could be some pre-existing settings at search/index time  modifying host, timestamp fields. Let's continue...to solution

Well, this is the behavior on a pretty clean install.

As you explained, if I want to set host/time/eventtype, etc., at index time for a JSON file, there is no escape from doing custom sourcetype, even if I change field names to host, _time,  etc.  Thanks, @venkatasri!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...