Getting Data In

How to extract keys and values from the JSON data from data received from the Modular Input?

marrette
Path Finder

Hi all,

Sorry I know this has been asked a million and one times here before but none of the previous answers seem to work for me.

I'm writing a modular input to collect data from another system using it's API. The modular input is working, it's getting the data, it's passing it into Splunk via XML streaming. It even seems like Splunk recognises it's JSON data (I can search for it and the output is nicely formatted as JSON). But the keys and values aren't being extracted into fields - which is really annoying because I can't search the data via a key value immediately.

I've tried adding "INDEXED_EXTRACTIONS = json" to the props.conf in default in the app on the heavy forwarder it's deployed on - but that's made no difference. I also tried adding "kv_mode = json" in the props.conf on the search head and that didn't help either.

Ideally I'd like to make it so this modular input causes Splunk to extract the key-value pairs from the data as it's indexed.

Is this possible? Or should I be attempting this in another way?

Thanks
Eddie

0 Karma

skalliger
SplunkTrust
SplunkTrust

Either you use INDEXED_EXTRACTIONS or KV_MODE, but not both. Set KV_MODE = none on your Search Head's props.conf if you really want to have indexed fields.

Skalli

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Both of these attempts should be correct to extract keys. I recommend KV_MODE = json becuase Splunk's strength is that its a search-time platform. If its doing the nice formatting, then that means its valid JSON. Might be worth using btool to check the sourcetype is definitely KV_MODE = json

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Also make sure you aren't in fast mode.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...