Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

extract json files fields

khanlarloo
Explorer
‎05-19-2020 01:00 AM

I have json logs that I want to extract.I did All items related to field extraction in props.conf file.
my log
{"export_time":"06:45:53","flows":[{"applicationNamePath":"XXX","applicationName":"tcp","flowStartSeconds":"1589957129","sourceTransportPort":"XXX","sourceIPv4Address":"190.x.x.x","destinationIPv4Address":"X.x.x.x","flowId":"64414","flowDirection":"0","tunnelTechnology":"no","destinationTransportPort":"443","flowExpired":"1","detectionCompleted":"0","tcpControlBits":"14","flowDurationMilliseconds":"9000","octetTotalCount":"152","packetTotalCount":"3","applicationCategoryName":"Network Service","p2pTechnology":"no","attributes":[]}],"last":1}

my props.conf:
indexed_extraction = json

0 Karma
Reply

maityayan1996
Path Finder
‎05-19-2020 09:52 PM

| spath input=data
Use this one it will help you to extract the fields from the json format of logs.
You can also visit this blog :
https://splunkonbigdata.com/2018/09/05/how-to-extract-fields-from-the-json-format-data-in-splunk/

0 Karma
Reply

khanlarloo
Explorer
‎05-26-2020 11:54 PM

it doesn't work.

0 Karma
Reply

codebuilder
Influencer
‎05-19-2020 05:12 PM

The example you provided appears to be valid, properly formatted json (checked via https://jsonlint.com).

Did you cycle Splunk after updating props.conf? It's required if/when you modify that config. Also, any data that was ingested prior to any modification of that config will not be displayed correctly, only new data.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

khanlarloo
Explorer
‎05-19-2020 08:06 PM

after updating i restart my splunk. what do you mean by cycle?

0 Karma
Reply

codebuilder
Influencer
‎05-19-2020 08:19 PM

Restart or cycle, different terms to the same end. You just need to restart the Splunk daemon/service.

You can also try adding the following to your search after modifying props.conf:
| extract reload=true

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

vnravikumar
Champion
‎05-19-2020 02:09 AM

Hi

What is the issue?

0 Karma
Reply

khanlarloo
Explorer
‎05-19-2020 03:38 AM

Hi,splunk Cannot extract fields.what should i do to extract this json fields?

0 Karma
Reply

Sfry1981
Communicator
‎05-19-2020 05:07 AM

when you say cant extract, can you explain it in more detail. You JSON is valid so there shouldnt be any issues

0 Karma
Reply

khanlarloo
Explorer
‎05-19-2020 08:10 PM

I want to make my search based on the fields extracted from my json log.But none of my fields were extracted and I have to extract my desired fields by writing Regex.
i separate my logs with defining different indexes in transforms.conf and props.conf

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...