How to forward sub-json object to splunk indexer

Question

My application writes log data to disk file. The log data is one-line json as below. I use the splunker-forwarder to send the log to splunk indexer

{"line":{"level": "info","message": "data is correct","timestamp": "2017-08-01T11:35:30.375Z"},"source": "std"}

I want to only send the sub-json object {"level": "info","message": "data is correct","timestamp": "2017-08-01T11:35:30.375Z"} to splunk indexer, not the whole json. How should I configure splunk forwarder or splunk indexer?

skoelpin skoelpin · Accepted Answer · 2017-08-02T20:05:22

You can use sedcmd to delete data before it gets written to disk by the indexer(s).

Add this to your props.conf

[Yoursourcetype]

 #...Other configurations...

 SEDCMD-removejson = s/(.+)\:\{/g

This is an index time setting, so you will need to restart splunkd for changes to take affect

How to forward sub-json object to splunk indexer

1 Answers