Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

detected_host, detected_timestamp, etc. with JSON file source

yuanliu
SplunkTrust
SplunkTrust
‎06-14-2021 09:41 AM

If I upload a file containing JSON records or monitor such a file/scripted input, a field named host becomes "detected_host", timestamp becomes "detected_timestamp", etc.  Is there some way to persuade indexer to accept these fields as host, _time, etc.?

I am looking at a number of such sources all with varying field names for these.  So, I hope by renaming/setting corresponding commonly used fields I could just use the default _json sourcetype without resorting to search time tricks.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-14-2021 05:54 PM

Hi @yuanliu 

Splunk doesn't prefix the fieldnames as detected* this could be some pre-existing settings at search/index time  modifying host, timestamp fields. Let's continue...to solution

To answers your query, for timestamp field use props.conf - TIME_PREFIX, TIME_FORMAT variables to consider as _time by Splunk. Should be deployed to HF/indexer.

host field in your json can be assigned to host default field using both props.conf, transforms.conf.

 

##This is just example of host override, should be deployed to HF/indexer. #works for any input type UF/scripted input

#props.conf
[your_json_sourcetype/host::<hostname>/source::<your_source>]
TRANSFORMS-host = hostoverride

#Transforms.conf Override host: , REGEX should match your host in json payload
[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \s(\w*)$
FORMAT = host::$1

 

 

---

An upvote would be appreciated if it helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-14-2021 05:54 PM

Hi @yuanliu 

Splunk doesn't prefix the fieldnames as detected* this could be some pre-existing settings at search/index time  modifying host, timestamp fields. Let's continue...to solution

To answers your query, for timestamp field use props.conf - TIME_PREFIX, TIME_FORMAT variables to consider as _time by Splunk. Should be deployed to HF/indexer.

host field in your json can be assigned to host default field using both props.conf, transforms.conf.

 

##This is just example of host override, should be deployed to HF/indexer. #works for any input type UF/scripted input

#props.conf
[your_json_sourcetype/host::<hostname>/source::<your_source>]
TRANSFORMS-host = hostoverride

#Transforms.conf Override host: , REGEX should match your host in json payload
[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \s(\w*)$
FORMAT = host::$1

 

 

---

An upvote would be appreciated if it helps!

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎06-16-2021 06:40 PM
Splunk doesn't prefix the fieldnames as detected* this could be some pre-existing settings at search/index time  modifying host, timestamp fields. Let's continue...to solution

Well, this is the behavior on a pretty clean install.

As you explained, if I want to set host/time/eventtype, etc., at index time for a JSON file, there is no escape from doing custom sourcetype, even if I change field names to host, _time,  etc.  Thanks, @venkatasri!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...