Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write a Field Extraction using PROPS Configuration File for Nested JSON Events?

SplunkDash
Motivator
‎08-12-2022 01:32 PM

Hello,

I have done field extraction for the nested JSON event using props.conf file.  Everything is working as expected but facing one issue based on my requitements. Sample JSON event, my props.conf file, and the reequipments/issue are giving below.  Any help will be greatly appreciated, thank you so much.

Sample Nested JSON Event:

{"TIME":"20220622154541","USERTYPE":"DSTEST","UID":"TEST01","FCODE":"06578","FTYPE":"01","SRCODE":"0A1","ID":"v23488d96-a1283-4ddf-8db7-8911-DS","IPADDR":"70.215.72.231","SYSTEM":"DS","EID":"ASW-CHECK","ETYPE":"VALID","RCODE":"001","DETAILINFO":{"Number":"03d1194292","DeptName":"DEALLE","PType":"TRI"},"YCODE":"1204342"}

 props.conf:

[sourcetypename]

CHARSET=UTF-8

EVENT_BREAKER_ENABLE=TRUE

INDEXED_EXTRACTIONS=json

KV_MODE=json

LINE_BREAKER=([\r\n]+)

MAX_TIMESTAMP_LOOKAHEAD=30

NO_BINARY_CHECK=true

SHOULD_LINEMERGE=true

TIME_FORMAT=%Y%m%d%H%M%S

TIME_PREFIX={"TIME":"

TRUNCATE=2000

category=Custom

disabled=false

pulldown_type=true

 

Issue/Requirements:

I am getting Key/Value pair for the nested Key/Field DETAILINFO as

DETAILINFO.Number = 03d1194292

DETAILINFO.DeptName = DEALLE

DETAILINFO.PType = TRI

My requirement:  "DETAILINFO" Key/Value pair should show up like below after the extraction:

DETAILINFO ="Number":"03d1194292","Dept name":"DEALLE","PType":"TRI"

OR

DETAILINFO= {"Number":"03d1194292","Dept name":"DEALLE","PType":"TRI"}

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-12-2022 08:56 PM

I don't think that's possible at index time.  Use spath at search time

 

| spath path=DETAILINFO

 

Or use json_extract()

 

| eval DETAILINFO = json_extract(_raw, "DETAILINFO")

 

 

Tags (2)
Reply

SplunkDash
Motivator
‎08-12-2022 09:41 PM

Hello,

Thank you so much for your reply. But how can I use it in my props.conf file?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-12-2022 10:12 PM

You cannot.  Potentially you can set this up as an extracted field so you don't have to enter it in search line

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...