How to create Indexed Field Extraction from JSON ...

manikanthkoti · ‎06-17-2020

Hi Everyone,

We are receiving below Data from HEC Token into Splunk.

{ "mirId": "Mule-111", "appVersion": "v1", "businessGroup": "Ecomm-Direct2Customer", "compress": false, "appName": "dev-pross-Ecomm-int-v1", "relational_correlationId": "22572801-b09e-11ea-9659-023335c1afde", "tracePointDescription": "Capture payload", "threadName": "[MuleRuntime].cpuLight.13: [adaptive-logger-test].adaptive-loggerFlow.CPU_LITE @6dbce5f9", "content": { "exception": "", "payload": "https://s3.console.aws.amazon.com/s3/object/unilever-ai-operationalframework/LEVEREDGE/prod/dispatch...?region=us-east-2&tab=overview", "businessFields": { }, "category": "org.unilever.apps.adaptiveloggertest" }, "environment": "TJ-Ecomm-Dev", "LogMessage": "Test-TJ-SCHED", "correlationId": "227425e0-b09e-11ea-9659-023335c1afde", "interfaceName": "Process finance Layer", "tracePoint": "START", "timestamp": "2020-06-17T13:26:21.759Z" }

We are trying to create a Indexed field for correlationId at Indexing time by using transforms.conf, props.conf, fields.conf .

How to link these conf files with inputs.conf.

Please help me in this.

Thanks&Regards,

Manikanth

How to create Indexed Field Extraction from JSON Data?

administration

development

metrics

October Community Champions: A Shoutout to Our Contributors!

Community Content Calendar, November Edition

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?