Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ingesting Event format JSON

CarolinaHB
Explorer
‎02-05-2024 04:55 PM

Hello, good mornig. 

Currently, I am sending the following data, but when ingested into Splunk, it is not recognized in JSON format.

 

 

 

Feb  5 18:50:30 10.0.30.81 {"LogTimestamp": "Tue Feb  6 00:50:31 2024","Customer": "xxxxxx","SessionID": "xxxxxx","SessionType": "TTN_ASSISTANT_BROKER_STATS","SessionStatus": "TT_STATUS_AUTHENTICATED","Version": "","Platform": "","XXX": "XX-X-9888","Connector": "XXXXXXXX","ConnectorGroup": "XXX XXX XXXXXX GROUP","PrivateIP": "","PublicIP": "18.24.9.8","Latitude": 0.000000,"Longitude": 0.000000,"CountryCode": "","TimestampAuthentication": "2024-01-28T09:26:31.592Z","TimestampUnAuthentication": "","CPUUtilization": 0,"MemUtilization": 0,"ServiceCount": 0,"InterfaceDefRoute": "","DefRouteGW": "","PrimaryDNSResolver": "","HostStartTime": "0","ConnectorStartTime": "0","NumOfInterfaces": 0,"BytesRxInterface": 0,"PacketsRxInterface": 0,"ErrorsRxInterface": 0,"DiscardsRxInterface": 0,"BytesTxInterface": 0,"PacketsTxInterface": 0,"ErrorsTxInterface": 0,"DiscardsTxInterface": 0,"TotalBytesRx": 19162399,"TotalBytesTx": 16432931,"MicroTenantID": "0"}

 

Can you help me? 

Can this line be removed using the forwarder from the props files?

Regards, 

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-05-2024 05:23 PM

Hi @CarolinaHB,

JSON format should be only valid JSON string.

If you can send log by removing  first "Feb 5 18:50:30 10.0.30.81"  then it should be shown as a JSON.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-05-2024 05:29 PM

It's not recognized as JSON format because it isn't JSON format.  The text before the first { disqualifies it.

How are you ingesting this event?  What are the inputs.conf and props.conf settings?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-05-2024 05:23 PM

Hi @CarolinaHB,

JSON format should be only valid JSON string.

If you can send log by removing  first "Feb 5 18:50:30 10.0.30.81"  then it should be shown as a JSON.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

CarolinaHB
Explorer
‎02-05-2024 06:01 PM

Can this line be removed using the forwarder from the props.conf files?"

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...