Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I strip the headers for JSON to parse correctly? Currently not working!

danfein
New Member
‎12-29-2016 01:23 PM

I am trying to remove the header of my JSON data but my current setup will not work, it continues to parse with the header (and therefore doesn't actually parse!).

The header / beginning of the JSON looks like this:

2016-12-29T14:52:53-05:00 17.1.9.10 {"creationTime": 1483993708000

I tried this: 

[sourcename]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
CHARSET=UTF-8
INDEXED_EXTRACTIONS=json
category=Structured
disabled=false
pulldown_type=true
TZ=America/New_York
SEDCMD-StripHeader = s/^[^{]+//
KV_MODE = json
EXTRACT-_time={"creationTime":
TIME_PREFIX=\{\"creationTime\"\:
TZ=America/New_York
MAX_TIMESTAMP_LOOKAHEAD=13

Any idea why this is not working?

Many thanks in advance!

Tags (3)
0 Karma
Reply

koshyk
Super Champion
‎12-29-2016 08:45 PM

I had similar issue and was solved using answers
https://answers.splunk.com/answers/117121/extract-json-data-within-the-logs.html

I would split the logic into two parts. (1) To extract whole JSON out (2) To extract key value pairs within JSON
In props.conf

### props.conf
 [myjson]
 REPORT-json = report-json,report-json-kv

In transforms.conf

[report-json]       
 # This will get the json payload from the logs. 
 REGEX = (?P<json1>{\"creationTime\".+)

  [report-json-kv]
  SOURCE_KEY = json1
  KV_MODE = json
  NO_BINARY_CHECK = 1
  TRUNCATE = 0
  TIME_PREFIX=\{\"creationTime\"\:
  TZ=America/New_York
  SHOULD_LINEMERGE = true
  BREAK_ONLY_BEFORE = someregularexpression
  MAX_TIMESTAMP_LOOKAHEAD=13
0 Karma
Reply

danfein
New Member
‎12-31-2016 12:34 PM

I really don't understand how this works/breaks down. Can you describe the approach, please?

0 Karma
Reply

danfein
New Member
‎12-30-2016 04:46 AM

Unfortunately this didn't work for me, if I am adding data in manually to test, would I be able to see this in the UI or only at search time?

Additionally, for the BREAK_ONLY_BEFORE, do I want everything leading up the the {\"creationTime or everything after?

Thanks!

0 Karma
Reply

koshyk
Super Champion
‎12-30-2016 06:44 AM

The above settings are REPORT. So search time. You can change to "TRANSFORMS-json" to make it index time.
break_only_before is something you need to try out and test as I don't have the full json. normally it is }\n

0 Karma
Reply

danfein
New Member
‎12-30-2016 10:27 AM

Ok I will try to make this work; it may be unorthodox but do you have Skype or teamviewer? This is really driving me in circles!

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...