Hello Splunk Community,

I have an issue with JSON parsing in Splunk and hope you can help me with that.

Situation:

• Logs arrive via syslog on our indexers
• Inside my app I have the following inputs.conf

[monitor:///here_is_the_correct_path]
disabled = false
host_segment = 3
index = buttercup
sourcetype = buttercup:server
host =​

• This is my props.conf

[buttercup:server]
TZ = UTC
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
DATETIME_CONFIG = 
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Custom
description = buttercup Server Logs
pulldown_type = true
TRANSFORMS-afilter = setnull, setparsing-audit, setparsing-auth
TRANSFORMS-changesourcetype = change-buttercup-server-audit, change-buttercup-server-auth

[buttercup:server:audit]
TZ = UTC
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
DATETIME_CONFIG = 
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Custom
description = buttercup Server Auditlog
pulldown_type = true
SEDCMD-strip_prefix = s/^[^{]+//g

[buttercup:server:auth]
TZ = UTC
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
DATETIME_CONFIG = 
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Custom
description = buttercup Server Authenticationlog
pulldown_type = true​

• And my transforms.conf

[change-buttercup-server-audit]
REGEX = buttercup_audit\:
FORMAT = sourcetype::buttercup:server:audit
DEST_KEY = MetaData:Sourcetype

[change-buttercup-server-auth]
REGEX = buttercup_auth\:
FORMAT = sourcetype::buttercup:server:auth
DEST_KEY = MetaData:Sourcetype

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing-audit]
REGEX = buttercup_audit\:
DEST_KEY = queue
FORMAT = indexQueue

[setparsing-auth]
REGEX = buttercup_auth\:
DEST_KEY = queue
FORMAT = indexQueue​

Description:

• After the input to index buttercup and sourcetype buttercup:server I use TRANSFORMS-afilter first, to filter everything from the syslog stream that does not include audit or auth logs. Therefore, I am using the setnull/setparsing construct in transforms.conf
• After the filtering process, data goes back into the indexQueue and I use TRANSFORMS-changesourcetype to assign the matching “buttercup:server:audit” or “buttercup:server:auth” sourcetype.
• The filtering and sourcetype assigning processes are successful, which shows me that the construct is working fine

Problem:

• The problem is that the audit log has a JSON structure which should be parsed by Splunk automatically. To achieve this, I use the SEDCMD for this sourcetype to remove the prefix in front of the JSON structure. 
• This JSON parsing is working fine, when I do a manual file input and select buttercup:server:audit directly.
• But this JSON parsing is not working for manual input when I select buttercup:server
• Therefore, it is also not working for monitor input of the syslog stream (as buttercup:server will be used first)

I think the problem has something to do with the SEDCMD and when it will be handled. Do you have any idea, how to fix that? I was thinking about doing the SEDCMD part within an additional transforms instead but I don´t know how. I have also experimented with adding INDEXED_EXTRACTIONS=JSON and KV_MODE=none (and vise versa) to the sourcetype, but no success.