Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

extract json files fields

khanlarloo
Explorer
‎05-19-2020 01:00 AM

I have json logs that I want to extract.I did All items related to field extraction in props.conf file.
my log
{"export_time":"06:45:53","flows":[{"applicationNamePath":"XXX","applicationName":"tcp","flowStartSeconds":"1589957129","sourceTransportPort":"XXX","sourceIPv4Address":"190.x.x.x","destinationIPv4Address":"X.x.x.x","flowId":"64414","flowDirection":"0","tunnelTechnology":"no","destinationTransportPort":"443","flowExpired":"1","detectionCompleted":"0","tcpControlBits":"14","flowDurationMilliseconds":"9000","octetTotalCount":"152","packetTotalCount":"3","applicationCategoryName":"Network Service","p2pTechnology":"no","attributes":[]}],"last":1}

my props.conf:
indexed_extraction = json

0 Karma
Reply

maityayan1996
Path Finder
‎05-19-2020 09:52 PM

| spath input=data
Use this one it will help you to extract the fields from the json format of logs.
You can also visit this blog :
https://splunkonbigdata.com/2018/09/05/how-to-extract-fields-from-the-json-format-data-in-splunk/

0 Karma
Reply

khanlarloo
Explorer
‎05-26-2020 11:54 PM

it doesn't work.

0 Karma
Reply

codebuilder
Influencer
‎05-19-2020 05:12 PM

The example you provided appears to be valid, properly formatted json (checked via https://jsonlint.com).

Did you cycle Splunk after updating props.conf? It's required if/when you modify that config. Also, any data that was ingested prior to any modification of that config will not be displayed correctly, only new data.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

khanlarloo
Explorer
‎05-19-2020 08:06 PM

after updating i restart my splunk. what do you mean by cycle?

0 Karma
Reply

codebuilder
Influencer
‎05-19-2020 08:19 PM

Restart or cycle, different terms to the same end. You just need to restart the Splunk daemon/service.

You can also try adding the following to your search after modifying props.conf:
| extract reload=true

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

vnravikumar
Champion
‎05-19-2020 02:09 AM

Hi

What is the issue?

0 Karma
Reply

khanlarloo
Explorer
‎05-19-2020 03:38 AM

Hi,splunk Cannot extract fields.what should i do to extract this json fields?

0 Karma
Reply

Sfry1981
Communicator
‎05-19-2020 05:07 AM

when you say cant extract, can you explain it in more detail. You JSON is valid so there shouldnt be any issues

0 Karma
Reply

khanlarloo
Explorer
‎05-19-2020 08:10 PM

I want to make my search based on the fields extracted from my json log.But none of my fields were extracted and I have to extract my desired fields by writing Regex.
i separate my logs with defining different indexes in transforms.conf and props.conf

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top