Unable to extract JSON fields in Splunk

0
votes

I'm trying to extract JSON fields from syslog inputs.

In ./etc/system/default/props.conf I've added the following lines:

[mylogtype]
SEDCMD-StripHeader = s/^[^{]+//
INDEXED_EXTRACTIONS = json
KV_MODE = none
pulldown_type = true

The SEDCMD works; the syslogs headers are removed.

enter image description here

But the JSON fields are not parsed.

Any ideas?

1
splunk

1 Answers

1
votes

Resolved. Use the following configuration in props.conf

[yourlogtype]
SEDCMD-StripHeader = s/^[^{]+//
KV_MODE = json
pulldown_type = true