Ive poured over about all the json extracting solutions I could find and can't seem to find anything that actually works.
If I have an even that is nothing but json, setting the source type kv_mode = json in props.conf works just fine, the issue is I have events like below. I need to preserve the timestamp obviously, and have splunk be able to recognize the json elements. This particular example has an epoch timestamp for the created_at key in the json, but for sake of argument, lets just assume the initial timestamp is what we want to use. I would optimally like all the elements in the json to be picked up from field discovery and the entire event stamped with the time stamp.
2013-06-11T15:24:38+00:00 DEBUG (7):
The path of the api call: /se/get/maven/116490
Json sent: []
Json recieved: {"status":"success","data":{"maven":{"email":"value","first_name":"value","last_name":"value","subscription":{"length":1,"status":"ACTIVE","first_name":"value","last_name":"value","start_month": value,"start_year": value,"tier_id": value,"skip_earned":false,"skip_allowed":true,"style_profile":"value","prepaid_shipments":0,"repeat_billing":true,"recurring_price": value,"shipping_address":{"address1":"value","address2":null,"city":"value","country":"value","phone":"value","state":"value","zip":"value"},"payment_method":{"payment_method_id": value,"processor_token":"value","processor_code":"value","expiration_month": value,"expiration_year": value},"skip_count":0,"successive_skips":0,"successive_fails":0,"created_at":1397068985000,"modified_at":1397069252000},"orderJSON":{"customer_id":"value","maven_id":value,"maven_status":"ACTIVE","tier_id":1,"shipping_address":{"firstname":"value","lastname":"value","street1":"value","street2":null,"city":"value","region":"value","postcode":"value","telephone":"value","country_id":"US"},"earned_skip":false,"always_can_skip":true,"repeat_billing":true,"prepaidShipments":0,"recurring_price": value,"subscription_term":1,"style_profile_code":"value","start_month": value,"start_year": value,"processor_code":"value"},"maven_id": value,"billing_address":{"address1":"value","address2":null,"city":"value","country":"value","phone":"value","state":"value","zip":"value"},"cim_customer_id":null,"customer_id":"value"}}}
... View more