Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

extract json files fields

khanlarloo
Explorer
‎05-19-2020 01:00 AM

I have json logs that I want to extract.I did All items related to field extraction in props.conf file.
my log
{"export_time":"06:45:53","flows":[{"applicationNamePath":"XXX","applicationName":"tcp","flowStartSeconds":"1589957129","sourceTransportPort":"XXX","sourceIPv4Address":"190.x.x.x","destinationIPv4Address":"X.x.x.x","flowId":"64414","flowDirection":"0","tunnelTechnology":"no","destinationTransportPort":"443","flowExpired":"1","detectionCompleted":"0","tcpControlBits":"14","flowDurationMilliseconds":"9000","octetTotalCount":"152","packetTotalCount":"3","applicationCategoryName":"Network Service","p2pTechnology":"no","attributes":[]}],"last":1}

my props.conf:
indexed_extraction = json

0 Karma
Reply

maityayan1996
Path Finder
‎05-19-2020 09:52 PM

| spath input=data
Use this one it will help you to extract the fields from the json format of logs.
You can also visit this blog :
https://splunkonbigdata.com/2018/09/05/how-to-extract-fields-from-the-json-format-data-in-splunk/

0 Karma
Reply

khanlarloo
Explorer
‎05-26-2020 11:54 PM

it doesn't work.

0 Karma
Reply

codebuilder
Influencer
‎05-19-2020 05:12 PM

The example you provided appears to be valid, properly formatted json (checked via https://jsonlint.com).

Did you cycle Splunk after updating props.conf? It's required if/when you modify that config. Also, any data that was ingested prior to any modification of that config will not be displayed correctly, only new data.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

khanlarloo
Explorer
‎05-19-2020 08:06 PM

after updating i restart my splunk. what do you mean by cycle?

0 Karma
Reply

codebuilder
Influencer
‎05-19-2020 08:19 PM

Restart or cycle, different terms to the same end. You just need to restart the Splunk daemon/service.

You can also try adding the following to your search after modifying props.conf:
| extract reload=true

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

vnravikumar
Champion
‎05-19-2020 02:09 AM

Hi

What is the issue?

0 Karma
Reply

khanlarloo
Explorer
‎05-19-2020 03:38 AM

Hi,splunk Cannot extract fields.what should i do to extract this json fields?

0 Karma
Reply

Sfry1981
Communicator
‎05-19-2020 05:07 AM

when you say cant extract, can you explain it in more detail. You JSON is valid so there shouldnt be any issues

0 Karma
Reply

khanlarloo
Explorer
‎05-19-2020 08:10 PM

I want to make my search based on the fields extracted from my json log.But none of my fields were extracted and I have to extract my desired fields by writing Regex.
i separate my logs with defining different indexes in transforms.conf and props.conf

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...