Passing the message field in JSON to Splunk
I'm having trouble getting the JSON under the "message" field recognized in splunk. Is there something simple I'm missing on the Cribl side of things to break this json out of message, or only keep the JSON in the message as the event?
Answers
-
is _raw shown as `a` or `{}`?
0 -
α
0 -
Try this: Parser function -> source _raw -> destination _raw -> JSON -> extract
0 -
now _raw should be `{}` if yes, is message also `{}`, or still `a`?
0 -
_raw is now `{}` message is still `a`
0 -
add another parser -> source _raw.message -> destination _raw,message -> JSON -> extract
0 -
my bet is that the message field was escaped (double escaped?) JSON
0 -
with the 2nd parser, is it showing as `{}`?
0 -
yes it is
0 -
noice
0 -
should be good to send to splunk now
0 -
(to be safe, i'd probably add a final function, Serialize, to turn _raw (all of it) back into a string):
0 -
this time though, it will only be 1 level of stringification, so splunk will handle it
0 -
it took a minute but looks great in Splunk now
0 -
Thanks for the help!
0
