Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

extract json files fields

khanlarloo
Explorer
‎05-19-2020 01:00 AM

I have json logs that I want to extract.I did All items related to field extraction in props.conf file.
my log
{"export_time":"06:45:53","flows":[{"applicationNamePath":"XXX","applicationName":"tcp","flowStartSeconds":"1589957129","sourceTransportPort":"XXX","sourceIPv4Address":"190.x.x.x","destinationIPv4Address":"X.x.x.x","flowId":"64414","flowDirection":"0","tunnelTechnology":"no","destinationTransportPort":"443","flowExpired":"1","detectionCompleted":"0","tcpControlBits":"14","flowDurationMilliseconds":"9000","octetTotalCount":"152","packetTotalCount":"3","applicationCategoryName":"Network Service","p2pTechnology":"no","attributes":[]}],"last":1}

my props.conf:
indexed_extraction = json

0 Karma
Reply

maityayan1996
Path Finder
‎05-19-2020 09:52 PM

| spath input=data
Use this one it will help you to extract the fields from the json format of logs.
You can also visit this blog :
https://splunkonbigdata.com/2018/09/05/how-to-extract-fields-from-the-json-format-data-in-splunk/

0 Karma
Reply

khanlarloo
Explorer
‎05-26-2020 11:54 PM

it doesn't work.

0 Karma
Reply

codebuilder
Influencer
‎05-19-2020 05:12 PM

The example you provided appears to be valid, properly formatted json (checked via https://jsonlint.com).

Did you cycle Splunk after updating props.conf? It's required if/when you modify that config. Also, any data that was ingested prior to any modification of that config will not be displayed correctly, only new data.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

khanlarloo
Explorer
‎05-19-2020 08:06 PM

after updating i restart my splunk. what do you mean by cycle?

0 Karma
Reply

codebuilder
Influencer
‎05-19-2020 08:19 PM

Restart or cycle, different terms to the same end. You just need to restart the Splunk daemon/service.

You can also try adding the following to your search after modifying props.conf:
| extract reload=true

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

vnravikumar
Champion
‎05-19-2020 02:09 AM

Hi

What is the issue?

0 Karma
Reply

khanlarloo
Explorer
‎05-19-2020 03:38 AM

Hi,splunk Cannot extract fields.what should i do to extract this json fields?

0 Karma
Reply

Sfry1981
Communicator
‎05-19-2020 05:07 AM

when you say cant extract, can you explain it in more detail. You JSON is valid so there shouldnt be any issues

0 Karma
Reply

khanlarloo
Explorer
‎05-19-2020 08:10 PM

I want to make my search based on the fields extracted from my json log.But none of my fields were extracted and I have to extract my desired fields by writing Regex.
i separate my logs with defining different indexes in transforms.conf and props.conf

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top