Basic Splunk configuration for streaming JSON Lines over TCP
To stream JSON Lines to Splunk over TCP, you need to configure a Splunk TCP data input that breaks each line of the stream into a separate event, recognizes event time stamps, and specifies the event data format as JSON.
The following Splunk configuration stanzas define a minimal basic configuration for streaming JSON Lines over TCP: one stanza in inputs.conf, and one in props.conf.
Depending on your own site practices, you might perform additional configuration, such as assigning different source types, routing events to different indexes, or using secure TCP.
Location of Splunk configuration stanzas
This Transaction Analysis Workbench documentation refers to Splunk configuration (.conf) file names, but not directory paths. It is your decision where to store the Splunk configuration stanzas for Transaction Analysis Workbench.
For example, you might choose to create a Splunk application directory named your-organization-fuw specifically for Transaction Analysis Workbench, and save the configuration files there:
$SPLUNK_HOME/etc/apps/your-organization-fuw/local/*.conf
inputs.conf
The following stanza in inputs.conf defines an unsecure TCP input that
listens on port 6068, assigns the source type fuw
to all incoming events, and stores the
events in the default index (typically, main):
[tcp://:6068]
sourcetype = fuw
The port number and source type shown here are examples only. The actual values are your choice.
props.conf
The following stanza in props.conf defines the properties of the fuw
source type:
[fuw]
SHOULD_LINEMERGE = false
KV_MODE = json
TIME_PREFIX = {\"time\":\"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%:z
The combination of SHOULD_LINEMERGE = false
and KV_MODE = json
defines the incoming data as JSON Lines: one event per line, data in JSON format. These two settings
apply to different stages in the Splunk data pipeline: SHOULD_LINEMERGE applies
to parsing, before indexing; KV_MODE applies later, to search-time field
extraction.
The example regular expression for TIME_PREFIX
is case sensitive; it matches the
lowercase field name time
, which is the default field name for event time stamps in
JSON from Transaction Analysis Workbench.
The example value for TIME_FORMAT
matches time stamps from Transaction Analysis Workbench that have been created by a JSON command
that specifies the parameter TIMEFORMAT(ISO8601)
.