Reputation: 37
how do I parse a JSON file to SPLUNK?
I want to load a JSON file of evetlogs to be the source_type of SPLUNK. how do I parse it to something I can perform searches on? thank you
Upvotes: 0
Views: 3472
Answers (1)
Reputation: 2651
If you can ingest the file, you can set the KV_MODE=json and the fields will be parsed properly. Refer to https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Automatickey-valuefieldextractionsatsearch-time
If you have already ingested the file, you can use spath to extract the fields properly. Refer to https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath . Use it as index=* | spath output=out_field path=path_field
You can also use the spath of the eval command. Refer to https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/TextFunctions#spath.28X.2CY.29 . You can use it as index=* | eval f=spath(_raw, "foo.bah")
Upvotes: 1
Related Questions
- Splunk: Configure inputs.conf to parse only JSON files
- how do I extract keys from a JSON object?
- splunk : json spath extract
- Splunk search the key in json
- How to extract Key Value fields from Json string in Splunk
- Python: .json data from splunk
- How to extract fields from JSON string in Splunk
- Splunk not recognizing regex
- Extracting values from json in Splunk using spath
- Unable to extract JSON fields in Splunk