Is it possible to let splunk recognize fields aut...

rrovers · ‎05-23-2024

Hi,

I have a json-file in splunk with an arguments{}-field like this

field1=[content_field1] field2=[content_field2] field3=[content_field3]

splunk doesn't recognize the fields field1 etc. I assume it is because this is not really json format but I want to be sure.

I can extract the files with rex but if splunk can recognize the fields automatically would be better.

I think the content of the log-file should be something like this:

arguments{}:{"field1":"content_field1",
"field2":"content_field2",
"field3:"content_field3"}

but I want to be sure if that's the best way (because when it is the logging has to be changed).

Does splunk recognize the fields automatically if events are logged in this way? Is the above mentioned the best way or are there better ways to let splunk recognize the fields automatically?

richgalloway · ‎05-23-2024

If you want Splunk to extract fields for you then you must use a "standard" format.

By default, Splunk will extract fields from events in key=value format. Other formats, like CSV, JSON, XML, etc. must be specified in props.conf. JSON and XML events must be well-formed or Splunk will not extract anything from them.

---
If this reply helps you, Karma would be appreciated.

Is it possible to let splunk recognize fields automatically with this layout

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation