Re: Indexing JSON data

monteirolopes · ‎05-29-2017

Hi,

I created a sourcetype (props.conf) to parse my json files. A local input (index once) was created only to test the props.conf and it works fine!
When I tried to create a continuously monitor file the events didn't appear in Splunk. I tried to monitor the entire folder (*.json) and a specific json file.
Has anyone had something similar?

follow my props.conf

[json_mention]
TRUNCATE = 0
BREAK_ONLY_BEFORE_DATE = false
SHOULD_LINEMERGE = false
LINE_BREAKER = ({\s+"location":)
MUST_BREAK_AFTER = {\s+"location":
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TIME_PREFIX=({\s+"collected_at":\s+")
MAX_TIMESTAMP_LOOKAHEAD=20

Best regards,

woodcock · ‎06-01-2017

I agree with what @aakwah wrote but a bad props.conf file is not going to stop data from coming in (although it may come in "wrong"). We need to see your inputs.conf file. When you make changes to input.conf, you must restart the forwarder's splunk instance.

aakwah · ‎05-29-2017

Hello,

For json objects extraction you can make use of INDEXED_EXTRACTIONS, the following stanza should work fine.

 [json_mention]
 INDEXED_EXTRACTIONS = json
 KV_MODE = none
 LEARN_MODEL = false
 TRUNCATE = 0
 category = Structured
 description = JavaScript Object Notation format.

Please note that INDEXED_EXTRACTIONS should be applied at input time, when data is first read by Splunk.

Check props.conf doc for more details:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Admin/Propsconf

Regards

Indexing JSON data

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?