Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure heavy forwarder to extract multivalue nested json ?

prashant5847
Loves-to-Learn Everything
‎06-29-2023 11:09 AM

I have following set up in place and I am sending events to splunk cloud from K8S cluster. I am using HF for data manipulation. 

K8S cluster  --> Heavy Forwarder --> Splunk Cloud

I received all events send by k8s cluster but not all field from events are getting extracted in json. 

Current Output


{ [-]
  action: modify
  containerid: 278e7bddd8b50ad885077
  count: 1
  host: example.com
  pid: 125
  time: 1456789023
  timestamp: 14567890234356
  metrics: {"metrics":{\"name1\":{\"m1\":\"downsample\",\"m2\":\"sum\"},\"name2\":{\"Headers\":{\"Selector\":{\"m1\":\"downsample\",\"m2\":\"sum\"}}}"}
  uid: 0
  user: 0
}

Looking for convert all data in JSON key value format as shown in expected output. 

Expected Output

 

{ [-]
  action: modify
  containerid: 278e7bddd8b50ad885077
  count: 1
  host: example.com
  pid: 125
  time: 1456789023
  timestamp: 14567890234356
  metrics: {[-]
     metrics:{ [-]
         name1:{ [-]
           m1: downsample
           m2: sum
         }
         name2:{ [-]
           Headers :{ [-]
             Selector :{ [-]
               m1: downsample
               m2: sum
             }
           }
         }
     }
  }
  uid: 0
  user: 0
}

 

  How I need to configure Splunk Heavy Forwarder to extract  multivalued nested json ?

Labels (3)
0 Karma
Reply

prashant5847
Loves-to-Learn Everything
‎07-12-2023 01:46 AM

Hi @venkatasri 

Thank you for your suggestion. Yes, after formatting data in proper JSON format, it extracted successfully. 

Further, we would like to move 'm1:  downsample' key value pair which is in Selector in same JSON message header part below host and above pid. Is this possible from splunk heavy forwarder ? If yes, what configuration changes I need to apply on the message ?

Thank you,
Prashant

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-03-2023 03:59 PM

Hi @prashant5847 , Splunk is good at auto extracting the JSON event if it is well formatted.

Did you search it on Search head and saw the fields not being extracted correctly? Choose search mode - Smart/Verbose.

If you still can not find it, you don't need to extract it on Heavy forwarder. Search head will do the extractions for you.
Either you could use spath command - Example  <your search return json event> | spath  - This is inline search.

Or update source type settings (props.conf) on search head to include following config-

[<sourcetype-name-of-json-events>]
AUTO_KV_JSON = true
KV_MODE = json

Hope this helps!

------------------------------

Srikanth Yarlagadda.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...