How to create Indexed Field Extraction from JSON ...

manikanthkoti · ‎06-17-2020

Hi Everyone,

We are receiving below Data from HEC Token into Splunk.

{ "mirId": "Mule-111", "appVersion": "v1", "businessGroup": "Ecomm-Direct2Customer", "compress": false, "appName": "dev-pross-Ecomm-int-v1", "relational_correlationId": "22572801-b09e-11ea-9659-023335c1afde", "tracePointDescription": "Capture payload", "threadName": "[MuleRuntime].cpuLight.13: [adaptive-logger-test].adaptive-loggerFlow.CPU_LITE @6dbce5f9", "content": { "exception": "", "payload": "https://s3.console.aws.amazon.com/s3/object/unilever-ai-operationalframework/LEVEREDGE/prod/dispatch...?region=us-east-2&tab=overview", "businessFields": { }, "category": "org.unilever.apps.adaptiveloggertest" }, "environment": "TJ-Ecomm-Dev", "LogMessage": "Test-TJ-SCHED", "correlationId": "227425e0-b09e-11ea-9659-023335c1afde", "interfaceName": "Process finance Layer", "tracePoint": "START", "timestamp": "2020-06-17T13:26:21.759Z" }

We are trying to create a Indexed field for correlationId at Indexing time by using transforms.conf, props.conf, fields.conf .

How to link these conf files with inputs.conf.

Please help me in this.

Thanks&Regards,

Manikanth

How to create Indexed Field Extraction from JSON Data?

administration

development

metrics

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation