Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About kwarre3036
kwarre3036
Explorer
Member since:
04-27-2021
06-10-2021
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 04-27-2021 |
Activity Feed
- Posted Re: JSON extra value "none" timestamp field on Getting Data In. 06-09-2021 06:09 AM
- Karma Re: JSON extra value "none" timestamp field for venkatasri. 06-09-2021 06:09 AM
- Karma Re: JSON extra value "none" timestamp field for venkatasri. 06-09-2021 06:09 AM
- Posted JSON extra value "none" timestamp field on Getting Data In. 06-08-2021 07:06 AM
- Posted Re: Extract all key value pairs JSON on Splunk Search. 04-28-2021 11:12 AM
- Posted Re: Extract all key value pairs JSON on Splunk Search. 04-28-2021 11:10 AM
- Posted Re: Extract all key value pairs JSON on Splunk Search. 04-28-2021 05:48 AM
- Posted Extract all key value pairs JSON on Splunk Search. 04-27-2021 01:22 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
06-09-2021
06:09 AM
Making these two modifications to the props.conf did eliminate the value "none" in the timestamp field. Now, my timestamp is being parsed and only one value is present. This is good! However, now my _time = timestamp which is what you indicated in your note. When I had the parameters set the other way, my _time = indextime. It seems now that I will need to run " | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")" in order to see my indextime. This should not be an issue unless for some reason, my events have a large discrepancy between timestamp and indextime.
... View more
06-08-2021
07:06 AM
I am attempting to index and search JSON logs and each event contains an extra value ("none") for timestamp that I would like to eliminate. Here is my inputs.conf [monitor:///home/username/json_test.log] index = index_name source = json_test.log sourcetype = json_kwarre_v3 host = myhostname Here is my props.conf [json_kwarre_v3] BREAK_ONLY_BEFORE = ^{ MUST_BREAK_AFTER = }$ LINE_BREAKER = ^{ KV_MODE= json NO_BINARY_CHECK = true TIME_PREFIX = timestamp\"\:\ \" TIME_FORMAT=%Y-%m-%dT%H:%M:%S:%3N category = Structured description = A variant of the JSON source type, with support for nonexistent timestamps disabled = false pulldown_type = true BREAK_ONLY_BEFORE_DATE = Below, I have pasted the json event from the log. The event actually looks like one line in the log, but when pasted into the ticket it appears as several lines. {"sessionId":"5b8d6d8d-8e63-413b-876e-34cfaa894676","service":"RAF","request":{"vendorId":"Digital","clientId":"2234567890g"},"response":{"vendorId":"Digital","clientId":"2234567890g","transactionStatus":"1000","transactionMessage":"Success"},"routing_time":"10","elapsedTime":"107","timestamp_begin":"2021-06-06T17:51:30.895Z","level":"info","message":"SUCCESS","timestamp":"2021-06-06T17:51:31.002Z"} I have attached screenshot of my results. The only unexpected result I would like to eliminate is the extra "none" associated with the timestamp field
... View more
Labels
- Labels:
-
JSON
04-28-2021
11:12 AM
I think I can do this in the transforms.conf. That is what I will try next.
... View more
04-28-2021
11:10 AM
This is working, but I have one follow=up question. There are now two values for timestamp. The first is "none" and the second is "2021-04-26T21:33:44.406Z". It looks like this is a keyword to Splunk. I would like the "_time" field to continue to be the time the data was indexed (current_time), but I would like to create a timestamp field with only one value = "2021-04-26T21:33:44.406Z"? Is there a way to eliminate the value "none"? Thanks for your help?
... View more
04-28-2021
05:48 AM
The data actually has indentions on lines 2-13. My original post was incorrectly pasted with data in the first position of each line. The full event is being pulled into Splunk as I would expect, but all the key pairs are not being recognized. I have attempted to paste below what the data actually looks like. { "sessionId": "kevin70", "service": "RAF", "request": { "vendorId": "Digital", "clientId: "1234567890d" }, "response": { "vendorId": "Digital", "clientId": "1234567890d", "transactionStatus": "7000", "transactionMessage": "Success" }, "elapsedTime": "513", "timestamp_begin": 2021-04-26T21:33:43.893Z, "level": "info", "message": "SUCCESS", "timestamp": "2021-04-26T21:33:44.406Z" } Thanks for taking a look.
... View more
04-27-2021
01:22 PM
I have the following log example and Splunk correctly pulls the first few fields (non-nested) as well as the first value pair of the nested fields. However, after the first field, Splunk does not seem to recognize the remaining fields. { "sessionId": "kevin70", "service": "RAF", "request": { "vendorId": "Digital", "clientId: "1234567890d" }, "response": { "vendorId": "Digital", "clientId": "1234567890d", "transactionStatus": "7000", "transactionMessage": "Success" }, "elapsedTime": "513", "timestamp_begin": 2021-04-26T21:33:43.893Z, "level": "info", "message": "SUCCESS", "timestamp": "2021-04-26T21:33:44.406Z" } My props.conf looks like the following: [json_v3] BREAK_ONLY_BEFORE = ^{ LINE_BREAKER = ^{ KV_MODE=json NO_BINARY_CHECK = true TZ = America/Chicago category = Structured description = A variant of the JSON source type, with support for nonexistent timestamps disabled = false pulldown_type = true BREAK_ONLY_BEFORE_DATE = My inputs.conf looks like this: [monitor:///home/myuser/json_test.log] index = personalizedoffer source = json_test.log sourcetype = json_v3 host = myhost The last value pair that Splunk recognized is request.vendorId. After that, no other fields are automatically generated. Additionally, I have attempted to use spath by piping it to my simple search which is below: index=personalizedoffer source="json_test.log" I want the values of pairs represented including: request.clientId, response.vendorId, response.clientId, response.transactionStatus, response,transactionMessage, elapsedTime, timestamp_begin, level, message, timestamp Any help is appreciated!
... View more
Labels
- Labels:
-
field extraction
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-10-2021
08:22 AM
|
