Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Automatic JSON log extraction

deepak02
Path Finder
‎03-28-2017 10:35 AM

Hi,

I am uploading logs in JSON format into Splunk.

I want to enable automatic field extraction.

Is there any setting for this, or does Splunk always enable automatic field extraction by default?

Thanks,
Deepak

Tags (1)
0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎03-28-2017 10:49 AM

Hi deepak02!

Splunk has both indexed extractions and searchtime extractions for json.

They are found in props.conf.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Propsconf

INDEXED_EXTRACTIONS = < CSV|W3C|TSV|PSV|JSON >
* Tells Splunk the type of file and the extraction and/or parsing method
  Splunk should use on the file.
  CSV  - Comma separated value format
  TSV  - Tab-separated value format
  PSV  - pipe "|" separated value format
  W3C  - W3C Extended Extended Log File Format
  JSON - JavaScript Object Notation format
* These settings default the values of the remaining settings to the
  appropriate values for these known formats.
* Defaults to unset.

*If you are using a forwarder, be sure to put the props.conf on the forwarder! not just the indexer!

Also as an FYI, Splunk has a searchtime extractions available:

KV_MODE = [none|auto|auto_escaped|multi|json|xml]
* Used for search-time field extractions only.
* Specifies the field/value extraction mode for the data.
* Set KV_MODE to one of the following:
  * none: if you want no field/value extraction to take place.
  * auto: extracts field/value pairs separated by equal signs.
  * auto_escaped: extracts fields/value pairs separated by equal signs and
                  honors \" and \\ as escaped sequences within quoted
                  values, e.g field="value with \"nested\" quotes"
  * multi: invokes the multikv search command to expand a tabular event into
           multiple events.
  * xml : automatically extracts fields from XML data.
  * json: automatically extracts fields from JSON data.
* Setting to 'none' can ensure that one or more user-created regexes are not
  overridden by automatic field/value extraction for a particular host,
  source, or source type, and also increases search performance.
* Defaults to auto.
* The 'xml' and 'json' modes will not extract any fields when used on data
  that isn't of the correct format (JSON or XML).

OR

AUTO_KV_JSON = [true|false]
* Used for search-time field extractions only.
* Specifies whether to try json extraction automatically.
* Defaults to true.

What ever way you decide, I encourage you to try a sample of your json using the Add Data wizard, to ensure you are getting the extractions you expect.

http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Setsourcetype

- MattyMo
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...