I have a JSON file.
Once I upload the file on the search head using the below stanza in props.conf it's indexed properly.
Splunk 7.3.4
[json_test]
CHARSET = UTF-8
DATETIME_CONFIG = CURRENT
SEDCMD-cut_footer = s/\]\,\n\s*\"total\":.*$/g
SEDCMD-cut_header = s/^\{\n\s*\"matches\":\s\[/g
category = Structured
disabled = false
HEADER_FIELD_LINE_NUMBER = 3
SHOULD_LINEMERGE = 0
TRUNCATE = 0
INDEXED_EXTRACTIONS = json
KV_MODE = none
Once I upload the data from UF the data do not break to events
**Universal Forwarder**
props.conf
[json_test]
CHARSET = UTF-8
INDEXED_EXTRACTIONS = json
inputs.conf
[monitor:///tmp/*.json]
disabled = 0
sourcetype = json_test
index = test_hr
crcSalt = REINDEXMEPLEASE
initCrcLength = 780
**Indexer**
props.conf
[json_test]
DATETIME_CONFIG = CURRENT
SEDCMD-cut_footer = s/\]\,\n\s*\"total\":.*$/g
SEDCMD-cut_header = s/^\{\n\s*\"matches\":\s\[/g
category = Structured
disabled = false
HEADER_FIELD_LINE_NUMBER = 3
SHOULD_LINEMERGE = 0
TRUNCATE = 0
**Search Head**
props.conf
[json_test]
KV_MODE = none
↧