Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- json extract field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have one event entry like this indexed using props.conf entry like below.
But this is not coming in json format its indexing only in raw format not sure why. Also because of that the column names ID, Name etc are not extracted automatically.
[{'ID': 123, 'Name': 'hostname', 'SetupComplete': True, 'Plugin': 'someplugin', 'PluginName': 'someplugin', 'DomainName': 'something', 'DomainEmail': '', 'dontknow': '', 'Address': '1.2.3.4', 'BackupIntervalString': 'Manual', 'LastBackupString': 'Never (1 uploaded)', 'LastBackupAttemptString': 'Never', 'NextBackupString': '', 'Protocol': 'scp', 'Location': '', 'BaselineState': 'N/A', 'LastBackupCompliant': False, 'LastBackupCompliantString': 'N/A', 'ComplianceScore': -1, 'RetryInterval': 45, 'NumRetries': 0, 'KeepVersions': 0, 'Owner': 'someone@something.com', 'State': 'Idle', 'Uptime': 'Not monitored', 'BackupStatus': 'OK', 'BackupDU': '100MB', 'Manufacturer': 'dontknow', 'Model': 'dontknow', 'AssetID': '', 'Serial': '', 'Firmware': '', 'ApprovedBackups': 0, 'CurrentApproved': False, 'NumBackups': 1, 'Disabled': 'No', 'DomainDisabled': False, 'ApprovedState': 'good', 'IsPush': False, 'Updated': '0001-01-01T00:00:00Z'},
Can you please help here.
[example_json]
CHARSET = UTF-8
DATETIME_CONFIG = CURRENT
KV_MODE = json
TRUNCATE = 0
SEDCMD-removejunk1 = s/^\[//g
LINE_BREAKER = ([\r\n,]*(?:{[^[{]+\[)?){'ID
SHOULD_LINEMERGE = false
SEDCMD-remove_end = s/]$//g
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true
please tell me if i need to modify the props.conf entry or please help me with the extraction of fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LINE_BREAKER=(.){'ID
SEDCMD-trim=s/'/"/g s/True/true/g s/False/false/g s/\]//
Splunk can't parse '(single quote).
Also, you should modify to valid JSON.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LINE_BREAKER=(.){'ID
SEDCMD-trim=s/'/"/g s/True/true/g s/False/false/g s/\]//
Splunk can't parse '(single quote).
Also, you should modify to valid JSON.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @to4kawa
I tried this and i get only 1 event indexed like json, the 1st event and next all events are like raw events i think because ] is missing at the end ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry, I can see only one event. where is the others?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks i got it. i have to manually add ] before ID and then it works. Thanks and i modified to have double quotes instead of single .
Also can you please explain why to substitute True to true and False to false ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://www.json.org/json-en.html
This is the first time I've heard of it.
"(double quote)
true / false(lower)
`(single qute) and True/False is not valid.
Unlock Database Monitoring with Splunk Observability Cloud
Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All
[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk
