Splunk Search

extract json files fields

Explorer

I have json logs that I want to extract.I did All items related to field extraction in props.conf file.
my log
{"export_time":"06:45:53","flows":[{"applicationNamePath":"XXX","applicationName":"tcp","flowStartSeconds":"1589957129","sourceTransportPort":"XXX","sourceIPv4Address":"190.x.x.x","destinationIPv4Address":"X.x.x.x","flowId":"64414","flowDirection":"0","tunnelTechnology":"no","destinationTransportPort":"443","flowExpired":"1","detectionCompleted":"0","tcpControlBits":"14","flowDurationMilliseconds":"9000","octetTotalCount":"152","packetTotalCount":"3","applicationCategoryName":"Network Service","p2pTechnology":"no","attributes":[]}],"last":1}

my props.conf:
indexed_extraction = json

0 Karma

Path Finder

| spath input=data
Use this one it will help you to extract the fields from the json format of logs.
You can also visit this blog :
https://splunkonbigdata.com/2018/09/05/how-to-extract-fields-from-the-json-format-data-in-splunk/

0 Karma

Explorer

it doesn't work.

0 Karma

Motivator

The example you provided appears to be valid, properly formatted json (checked via https://jsonlint.com).

Did you cycle Splunk after updating props.conf? It's required if/when you modify that config. Also, any data that was ingested prior to any modification of that config will not be displayed correctly, only new data.

0 Karma

Explorer

after updating i restart my splunk. what do you mean by cycle?

0 Karma

Motivator

Restart or cycle, different terms to the same end. You just need to restart the Splunk daemon/service.

You can also try adding the following to your search after modifying props.conf:
| extract reload=true

0 Karma

Champion

Hi

What is the issue?

0 Karma

Explorer

Hi,splunk Cannot extract fields.what should i do to extract this json fields?

0 Karma

Communicator

when you say cant extract, can you explain it in more detail. You JSON is valid so there shouldnt be any issues

0 Karma

Explorer

I want to make my search based on the fields extracted from my json log.But none of my fields were extracted and I have to extract my desired fields by writing Regex.
i separate my logs with defining different indexes in transforms.conf and props.conf

0 Karma