Using regex and spath commands can be used to extract fields, but it’s easier to INDEXED_EXTRACTIONS= JSON OR KV-mode=json and json data can change. If no events are getting auto extracted then it ...
See more...
Using regex and spath commands can be used to extract fields, but it’s easier to INDEXED_EXTRACTIONS= JSON OR KV-mode=json and json data can change. If no events are getting auto extracted then it sounds like your sourcetype may not be applied. There are some steps/investigations on your part to undertake. Check at the inputs level the data is getting set with your TA props.conf sourcetype you have set - verify this. (The data must be coming in from a JSON file or HEC type of inputs somewhere) Once you know the correct sourcetype, ensure that the KV-mode=json has been applied with other settings such as the below. Note: INDEXED_EXTRACTIONS= SON and KV-mode=json set for the same sourcetype together causes the Splunk software to extract the JSON fields twice: once at index time, and again at search time - advise do not do this, stick to KV-mode=json for now) Analyse the data, and workout out some of the settings – (known as magic 6) for props.conf such as in the example below. Tip - Ideally you should always place new data into a test index and get the props working and the place into production once its all working as expected. Example props [my:json:data:sourcetype]
KV_MODE = json
#Tune the below to make Splunk more efficient
MAX_TIMESTAMP_LOOKAHEAD = (look no further in the data for timestamp)
SHOULD_LINEMERGE = false (leave default)
TIME_PREFIX = (REGEX before the timestamp)
TIME_FORMAT = (Check your time stamp and format it- example - %Y-%m-%d %H:%M:%S%:Z)
TRUNCATE = 10000 (Leave as default, may need tuning)
LINE_BREAKER = (REGEX to Work out where to break the line) Apply the above to your TA based on your specific, deploy, test and adjust as required. Also, there may already be a props TA if this data is common data source from Splunkbase have you checked that?