Basic Splunk configuration for streaming JSON Lines over TCP

Location of Splunk configuration stanzas

This Transaction Analysis Workbench documentation refers to Splunk configuration (.conf) file names, but not directory paths. It is your decision where to store the Splunk configuration stanzas for Transaction Analysis Workbench.

For example, you might choose to create a Splunk application directory named your-organization-fuw specifically for Transaction Analysis Workbench, and save the configuration files there:

$SPLUNK_HOME/etc/apps/your-organization-fuw/local/*.conf

inputs.conf

The following stanza in inputs.conf defines an unsecure TCP input that listens on port 6068, assigns the source type fuw to all incoming events, and stores the events in the default index (typically, main):

[tcp://:6068]
sourcetype = fuw

The port number and source type shown here are examples only. The actual values are your choice.

props.conf

The following stanza in props.conf defines the properties of the fuw source type:

[fuw]
SHOULD_LINEMERGE = false
KV_MODE = json
TIME_PREFIX = {\"time\":\"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%:z

The combination of SHOULD_LINEMERGE = false and KV_MODE = json defines the incoming data as JSON Lines: one event per line, data in JSON format. These two settings apply to different stages in the Splunk data pipeline: SHOULD_LINEMERGE applies to parsing, before indexing; KV_MODE applies later, to search-time field extraction.

The example regular expression for TIME_PREFIX is case sensitive; it matches the lowercase field name time, which is the default field name for event time stamps in JSON from Transaction Analysis Workbench.

The example value for TIME_FORMAT matches time stamps from Transaction Analysis Workbench that have been created by a JSON command that specifies the parameter TIMEFORMAT(ISO8601).