Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

json extract field

surekhasplunk
Communicator
‎08-17-2020 08:16 PM

i have one event entry like this indexed using props.conf entry like below. 

But this is not coming in json format its indexing only in raw format not sure why. Also because of that the column names ID, Name etc are not extracted automatically. 

[{'ID': 123, 'Name': 'hostname', 'SetupComplete': True, 'Plugin': 'someplugin', 'PluginName': 'someplugin', 'DomainName': 'something', 'DomainEmail': '', 'dontknow': '', 'Address': '1.2.3.4', 'BackupIntervalString': 'Manual', 'LastBackupString': 'Never (1 uploaded)', 'LastBackupAttemptString': 'Never', 'NextBackupString': '', 'Protocol': 'scp', 'Location': '', 'BaselineState': 'N/A', 'LastBackupCompliant': False, 'LastBackupCompliantString': 'N/A', 'ComplianceScore': -1, 'RetryInterval': 45, 'NumRetries': 0, 'KeepVersions': 0, 'Owner': 'someone@something.com', 'State': 'Idle', 'Uptime': 'Not monitored', 'BackupStatus': 'OK', 'BackupDU': '100MB', 'Manufacturer': 'dontknow', 'Model': 'dontknow', 'AssetID': '', 'Serial': '', 'Firmware': '', 'ApprovedBackups': 0, 'CurrentApproved': False, 'NumBackups': 1, 'Disabled': 'No', 'DomainDisabled': False, 'ApprovedState': 'good', 'IsPush': False, 'Updated': '0001-01-01T00:00:00Z'},

Can you please help here. 

[example_json]
CHARSET = UTF-8
DATETIME_CONFIG = CURRENT
KV_MODE = json
TRUNCATE = 0
SEDCMD-removejunk1 = s/^\[//g
LINE_BREAKER = ([\r\n,]*(?:{[^[{]+\[)?){'ID
SHOULD_LINEMERGE = false
SEDCMD-remove_end = s/]$//g
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true

please tell me if i need to modify the props.conf entry or please help me with the extraction of fields. 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
SplunkTrust
SplunkTrust
‎08-17-2020 11:43 PM

LINE_BREAKER=(.){'ID
SEDCMD-trim=s/'/"/g s/True/true/g s/False/false/g s/\]//

Splunk can't parse '(single quote). 
Also, you should modify to valid JSON.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
SplunkTrust
SplunkTrust
‎08-17-2020 11:43 PM

LINE_BREAKER=(.){'ID
SEDCMD-trim=s/'/"/g s/True/true/g s/False/false/g s/\]//

Splunk can't parse '(single quote). 
Also, you should modify to valid JSON.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎08-18-2020 12:30 AM

Thanks @to4kawa 

 

I tried this and i get only 1 event indexed like json, the 1st event and next all events are like raw events i think because ] is missing at the end ?

0 Karma
Reply
Solved! Jump to solution

to4kawa
SplunkTrust
SplunkTrust
‎08-18-2020 12:35 AM

sorry, I can see only one event. where is the others?

0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎08-18-2020 12:51 AM

thanks i got it. i have to manually add ] before ID and then it works. Thanks and i modified to have double quotes instead of single .

Also can you please explain why to substitute True to true and False to false ?

0 Karma
Reply
Solved! Jump to solution

to4kawa
SplunkTrust
SplunkTrust
‎08-18-2020 12:54 AM

https://www.json.org/json-en.html

This is the first time I've heard of it.

"(double quote)
true / false(lower)

`(single qute) and True/False is not valid.

 

Reply
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Get Updates on the Splunk Community!