Is it possible to let splunk recognize fields aut...

rrovers · ‎05-23-2024

Hi,

I have a json-file in splunk with an arguments{}-field like this

field1=[content_field1] field2=[content_field2] field3=[content_field3]

splunk doesn't recognize the fields field1 etc. I assume it is because this is not really json format but I want to be sure.

I can extract the files with rex but if splunk can recognize the fields automatically would be better.

I think the content of the log-file should be something like this:

arguments{}:{"field1":"content_field1",
"field2":"content_field2",
"field3:"content_field3"}

but I want to be sure if that's the best way (because when it is the logging has to be changed).

Does splunk recognize the fields automatically if events are logged in this way? Is the above mentioned the best way or are there better ways to let splunk recognize the fields automatically?

richgalloway · ‎05-23-2024

If you want Splunk to extract fields for you then you must use a "standard" format.

By default, Splunk will extract fields from events in key=value format. Other formats, like CSV, JSON, XML, etc. must be specified in props.conf. JSON and XML events must be well-formed or Splunk will not extract anything from them.

---
If this reply helps you, Karma would be appreciated.

Is it possible to let splunk recognize fields automatically with this layout

field extraction

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Are you a member of the Splunk Community?