Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract Json file format as Fields using props.conf and Transform.conf file?

karthi2809
Builder
‎06-01-2022 10:48 PM

Hi ,
Thanks in Advance,

My json file .

how to extract fields using props and transform configuration file.

{
"AAA": {
"modified_files": [
"a/D:\\\\splunk\\\\A / ui/.env",
"a/D:\\\\splunk\\\\A / ui/.env.example",
"a/D:\\\\splunk\\\\B / ui/.env",
"a/D:\\\\splunk\\\\B / ui/.env.example"
]
}
}{
"BBB": {
"modified_files": [
"a/D:\\\\splunk\\\\A / ui/.env",
"a/D:\\\\splunk\\\\A / ui/.env.example",
"a/D:\\\\splunk\\\\B / ui/.env",
"a/D:\\\\splunk\\\\B / ui/.env.example"
]
}
}{
"CCC": {
"modified_files": [
"a/D:\\\\splunk\\\\A / ui/.env",
"a/D:\\\\splunk\\\\A / ui/.env.example",
"a/D:\\\\splunk\\\\B / ui/.env",
"a/D:\\\\splunk\\\\B / ui/.env.example"
]
}
}{
"DDD": {
"modified_files": [
"a/D:\\\\splunk\\\\A / ui/.env",
"a/D:\\\\splunk\\\\A / ui/.env.example",
"a/D:\\\\splunk\\\\B / ui/.env",
"a/D:\\\\splunk\\\\B / ui/.env.example"
]
}
}

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-01-2022 11:58 PM

Hi @karthi2809,

did you explored the INDEXED_EXTRACTIONS=JSON option in props.conf?

You can find more infos at https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Propsconf

in few words, in props.conf put

[your_sourcetype]
INDEXED_EXTRACTIONS = JSON

Ciao.

Giuseppe

0 Karma
Reply

karthi2809
Builder
‎06-07-2022 12:58 AM

 

{
"AAA": {
"modified_files": [
"a/D:\\\\splunk\\\\A / ui/.env",
"a/D:\\\\splunk\\\\A / ui/.env.example",
"a/D:\\\\splunk\\\\B / ui/.env",
"a/D:\\\\splunk\\\\B / ui/.env.example"
]
}
}{
"BBB": {
"modified_files": [
"a/D:\\\\splunk\\\\A / ui/.env",
"a/D:\\\\splunk\\\\A / ui/.env.example",
"a/D:\\\\splunk\\\\B / ui/.env",
"a/D:\\\\splunk\\\\B / ui/.env.example"
]
}
}{
"CCC": {
"modified_files": [
"a/D:\\\\splunk\\\\A / ui/.env",
"a/D:\\\\splunk\\\\A / ui/.env.example",
"a/D:\\\\splunk\\\\B / ui/.env",
"a/D:\\\\splunk\\\\B / ui/.env.example"
]
}
}{
"DDD": {
"modified_files": [
"a/D:\\\\splunk\\\\A / ui/.env",
"a/D:\\\\splunk\\\\A / ui/.env.example",
"a/D:\\\\splunk\\\\B / ui/.env",
"a/D:\\\\splunk\\\\B / ui/.env.example"
]
}
}

 

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2022 02:09 AM

Hi @karthi2809,

this isn't a JSON format, is this the full log or a part of it?

if it's a part of it, please share the full log,

Anyway, using an extraction with INDEXED_ENTRACTIONS = JSON, you have the following fields

gcusello_0-1654592942756.png

 

Ciao.

Giuseppe

0 Karma
Reply

karthi2809
Builder
‎06-07-2022 03:29 AM

Hi @gcusello ,

Below the result of the json log file.

 

{
  "AAA": {
    "modified_files": [
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/index", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/logs/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/logs/refs/heads/dev", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/logs/refs/heads/master", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/idx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/pack", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/refs/heads/dev", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/refs/heads/master", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/refs/remotes/origin/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Database/2021.10_sql", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/VisualStudio2005/WebService.sln", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/VisualStudio2005/WebSite.sln", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Web/WebSite/lu.csproj", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Web/WebSite/Web.DEV.config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Web/WebSite/Web.config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Web/WebSite/Web.config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Web/WebSite/Web..config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Web/WebSite/Web.PP.config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Web/WebSite/Web.config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Web/WebSite/Web.QA.config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Web/WebSite/Web.SIT.config"
    ]
  }
}{
  "BBB": {
    "modified_files": [
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/index", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/logs/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/logs/refs/heads/feature/new-server-updates", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/logs/refs/heads/integration", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/logs/refs/remotes/origin/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/objects/pack/pack-87d6b8ab05803d2bd514f956bb3ee97eb5db6d4d.idx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/objects/pack/pack-87d6b8ab05803d2bd514f956bb3ee97eb5db6d4d.pack", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/refs/heads/feature/new-server-updates", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/refs/heads/integration", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/refs/remotes/origin/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/BBB.Build/BBB.Build.psm1", 
    ]
  }
}{
  "CCC": {
    "modified_files": [
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/index", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/logs/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/logs/refs/heads/BLTSFix", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/logs/refs/heads/dev", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/logs/refs/remotes/origin/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/objects/pack/pack-.idx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/objects/pack/pack-1.pack", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/objects/pack/pack-f067c2bff747ce861.idx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/packed-refs", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/refs/heads/BLTSFix", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/refs/heads/dev", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/refs/remotes/origin/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.vscode/launch.json", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/App/WebService/BltsService.csproj", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/App/WebService/Dare.cs", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/App/WebService/Web.$$OAT.config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/App/WebService/Web.config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/Database/2021.9_JIRA15219_ProductCodes/01_JIRA15219_ProductCodes_Backup.sql", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/Database/2021.9_JIRA15219_ProductCodes/02_JIRA15219_BLTS_ProductCodes.sql", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/Database/2021.9_JIRA15219_ProductCodes/JIRA15219_ProductCode_BackoutDBScript.sql", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/Web/WebSite/Blts.csproj", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/Web/WebSite/Web.$$OAT.config"
    ]
  }
}{
  "DDD": {
    "modified_files": [
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/index", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/logs/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/logs/refs/heads/BBB-11392_BU_$$Replication", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/logs/refs/heads/dev", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/logs/refs/remotes/origin/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/objects/pack/pack-f46eea35cf14742a81d21f669f667e4df3bdc2a6.idx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/objects/pack/pack-f46eea35cf14742a81d21f669f667e4df3bdc2a6.pack", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/refs/heads/BBB-11392_BU_$$Replication", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/refs/heads/dev", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/refs/remotes/origin/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.gitignore", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Apps/BOController/Controller.cpp", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Apps/CollateralEngine/ZAddDAO.cpp", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Apps/RISSearch/SearchRis.cpp", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Apps/SoapComm/SoapGenerator.cpp", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Apps/binaries/duplicateaccounts.xsl", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Apps/binaries/selectedentities.xsl", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Apps/ccmspersist/XMLHelper.cpp", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/BOExtract.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS-SSIS.database", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS-SSIS.dtproj", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS-SSIS.sln", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.APRA.Extract.Tables.xml", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.APRA.Extract.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.APRA.Extract.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.CHARM.Batch.DEV.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.CHARM.Batch.NewDB.DEV.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.CHARM.Extract.NewDB.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.CHARM.Extract.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.Data.Cleanse.DEV.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.Data.Cleanse.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.MasterData.Migration.DEV.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.MasterData.Migration.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.RSDS.Extract.Tables.xml", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.RSDS.Extract.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.RSDS.Extract.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.RefData.Migration.DEV.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.RefData.Migration.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS_Cleanup.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS_CustomerRefresh.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS_Orion_AuditCertificate.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS_RIS_BOExtraction.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS_RIS_FOExtraction.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CustRefresh.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/FOExtract.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/Project.params", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/CI/script/nant/ccms_app_registry_nzoat.xml", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/CI/script/nant/ccms_web_registry_nzoat.xml", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Database/2021.11_JIRA15401_BulkUpdate/01_JIRA15401_BulkUpdate_DBScript_Backup.sql", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Database/2021.11_JIRA15401_BulkUpdate/02_JIRA15401_BulkUpdate_DBScript.sql", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Database/R2021.2/BackoutScripts/1.DROP_viw_CCMS_To_Elastic.sql", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Database/R2021.2/BackoutScripts/pra_Rpt_ReportableEvents_ES_Backout.sql", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Database/R2021.2/ChangeScripts/1.CREATE_viw_CCMS_To_Elastic.sql", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Database/R2021.2/ChangeScripts/pra_Rpt_ReportableEvents_ES.sql"
    ]
  }
}{
  "EEE": {
    "modified_files": [
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.git/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.git/config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.git/index", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.git/logs/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/.git/logs/refs/heads/BBB-15109_add_pk_tblOrgUnitBU", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.git/logs/refs/heads/dev", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.git/logs/refs/remotes/origin/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/.git/refs/heads/BBB-15109_add_pk_tblOrgUnitBU", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.git/refs/heads/dev", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.git/refs/remotes/origin/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###App/WebService/BUPS.Service.csproj", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###App/WebService/Web.$$OAT.config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###Web/Common/DropDownListExtd/DropDownListExtd.csproj", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###Web/Common/LoggingManager/LoggingManager.csproj", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###Web/Common/MasterPages/Control/MasterPages", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###"
    ]
  }
}

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2022 11:26 PM

Hi @karthi2809,

as I said, using the INDEXED_EXTRACTIONS = JSON in props.conf, you have the fields.

Ciao.

Giuseppe

 

0 Karma
Reply

karthi2809
Builder
‎06-06-2022 08:56 PM

Hi @gcusello @yuanliu 

In my props.conf file :

[code_replication_json]
DATETIME_CONFIG = CURRENT
LINE_BREAKER = (#%$@)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = true
TRUNCATE = 0
MAX_EVENTS = 10000
INDEXED_EXTRACTIONS = json
KV_MODE = json

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-06-2022 11:22 PM

Hi @karthi2809,

and does it run?

if not, could you share a sample of your logs using the Insert/Edit Code Sample button (</>)?

Ciao.

Giuseppe

0 Karma
Reply

karthi2809
Builder
‎06-14-2022 07:43 PM

@gcusello  Shared logs above.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-14-2022 11:26 PM

Hi @karthi2809,

I already answered to your message: using the INDEXED_EXTRACTIONS=JSON you have five fields:

gcusello_0-1655274366606.png

Isn't this the result you want?

What's the result you want?

Ciao.

Giuseppe

0 Karma
Reply

karthi2809
Builder
‎06-05-2022 08:44 PM

No That is not worked.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-05-2022 09:37 PM

Maybe you are looking for kv_mode=json? Configure automatic key-value field extraction

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...