- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: extract json files fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
extract json files fields
I have json logs that I want to extract.I did All items related to field extraction in props.conf file.
my log
{"export_time":"06:45:53","flows":[{"applicationNamePath":"XXX","applicationName":"tcp","flowStartSeconds":"1589957129","sourceTransportPort":"XXX","sourceIPv4Address":"190.x.x.x","destinationIPv4Address":"X.x.x.x","flowId":"64414","flowDirection":"0","tunnelTechnology":"no","destinationTransportPort":"443","flowExpired":"1","detectionCompleted":"0","tcpControlBits":"14","flowDurationMilliseconds":"9000","octetTotalCount":"152","packetTotalCount":"3","applicationCategoryName":"Network Service","p2pTechnology":"no","attributes":[]}],"last":1}
my props.conf:
indexed_extraction = json
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| spath input=data
Use this one it will help you to extract the fields from the json format of logs.
You can also visit this blog :
https://splunkonbigdata.com/2018/09/05/how-to-extract-fields-from-the-json-format-data-in-splunk/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it doesn't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The example you provided appears to be valid, properly formatted json (checked via https://jsonlint.com).
Did you cycle Splunk after updating props.conf? It's required if/when you modify that config. Also, any data that was ingested prior to any modification of that config will not be displayed correctly, only new data.
An upvote would be appreciated and Accept Solution if it helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
after updating i restart my splunk. what do you mean by cycle?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Restart or cycle, different terms to the same end. You just need to restart the Splunk daemon/service.
You can also try adding the following to your search after modifying props.conf:
| extract reload=true
An upvote would be appreciated and Accept Solution if it helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
What is the issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,splunk Cannot extract fields.what should i do to extract this json fields?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
when you say cant extract, can you explain it in more detail. You JSON is valid so there shouldnt be any issues
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to make my search based on the fields extracted from my json log.But none of my fields were extracted and I have to extract my desired fields by writing Regex.
i separate my logs with defining different indexes in transforms.conf and props.conf
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
