Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to specify field names while loading the data using splunk java api

sdaruna
Explorer
‎12-13-2015 05:23 AM

I would like to index the data using java api. How could i specify the field names while indexing the data.?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-14-2015 03:53 AM

To get "indexed field extractions" see "indexed_extractions" in props.conf documentation here: http://docs.splunk.com/Documentation/Splunk/6.3.1511/admin/Propsconf

You need to create input app that runs your Java as a scripted input.

#I do this so I can see errors on STDOUT caused by the script.. by opening index=_internal in splunk.
[script:///opt/splunk/etc/apps/java_input_app/bin/javabinary]
index = _internal 
sourcetype = java_etl
source = javabinary

And then the inputs necessary to read the files your javabinary is creating:

[batch:///opt/splunk/etc/apps/java_input_app/data/1.csv]
index = index1
sourcetype = 1csv
crcSalt = <SOURCE>

Finally you need props.conf entry for each of your sourcetypes:

[1csv]
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER = ,
FIELD_QUOTE = "

Put props.conf and inputs.conf in .../java_input_app/local or /default... see configuration file precedence for more details as to which will supersede the other. http://docs.splunk.com/Documentation/Splunk/6.3.1511/Admin/Wheretofindtheconfigurationfiles

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎12-13-2015 04:03 PM

Is this essentially the same question as https://answers.splunk.com/answers/334380/how-to-load-java-objects-into-plunk.html? If so, then please stick to that question.

0 Karma
Reply

sdaruna
Explorer
‎12-13-2015 04:26 PM

sure martin. thank you...

apologies for asking u again.. do you have any comments on the flow i explained.?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎12-13-2015 03:10 PM

Usually splunk fields are search-time, so there's no need to specify any while indexing. Is there any reason why you'd like to do that?

http://docs.splunk.com/Documentation/Splunk/6.3.1/Knowledge/Aboutfields

0 Karma
Reply

sdaruna
Explorer
‎12-13-2015 03:57 PM

Hi Martin,

Thanks very much for your response. I was literally crumbling to achieve my requirement.
Let me tell you my requirement.

I will get a huge xml file of configurations from client. I need to take one node each and index into separate indexes respectively and finally i need to get a table joining the indexes. Lets stay, i will get xml with classes, students and courses. I need to fetch classes from xml and need to index to classe and similar to others.
After this, i need to create a table out of them joining those three.

I chose java indexing for this. So, i will get xml and get the xpath data, and then form event string and then index them to splunk. I was wondering how to specify the fieldnames while indexing..

1) Did i chose right way, or is there any other way.?
2) if so, can i specify the fieldnames while indexing the events into splunk.?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...