Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create Indexed Field Extraction from JSON Data?

manikanthkoti
Loves-to-Learn Everything
‎06-17-2020 06:40 AM

Hi Everyone,

 

We are receiving below Data from HEC Token into Splunk.

{ "mirId": "Mule-111", "appVersion": "v1", "businessGroup": "Ecomm-Direct2Customer", "compress": false, "appName": "dev-pross-Ecomm-int-v1", "relational_correlationId": "22572801-b09e-11ea-9659-023335c1afde", "tracePointDescription": "Capture payload", "threadName": "[MuleRuntime].cpuLight.13: [adaptive-logger-test].adaptive-loggerFlow.CPU_LITE @6dbce5f9", "content": { "exception": "", "payload": "https://s3.console.aws.amazon.com/s3/object/unilever-ai-operationalframework/LEVEREDGE/prod/dispatch...?region=us-east-2&tab=overview", "businessFields": { }, "category": "org.unilever.apps.adaptiveloggertest" }, "environment": "TJ-Ecomm-Dev", "LogMessage": "Test-TJ-SCHED", "correlationId": "227425e0-b09e-11ea-9659-023335c1afde", "interfaceName": "Process finance Layer", "tracePoint": "START", "timestamp": "2020-06-17T13:26:21.759Z" }

We are trying to create a Indexed field for correlationId at Indexing time by using transforms.conf, props.conf,  fields.conf .

How to link these conf files with inputs.conf.

Please help me in this.

Thanks&Regards,

Manikanth

Labels (3)
Tags (1)
0 Karma
Reply
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Get Updates on the Splunk Community!