I have a process to send json format data to Splunk on an udp port. In settings I have mentioned `sourcetype = _json`. Splunk is able to detect and syntax highlight the data when search, but it is not able to automatically extract the fields. Any idea how to fix it?
Here is the inputs.conf
[udp://8704]
connection_host = dns
index = infra_mi6
sourcetype = _json
Sample search result, however all these fields are not showing up in Interesting Fields
4/6/16
3:39:06.809 PM
{ [-]
EventName: SHEET_ACTIVATE
env: PROD
host: NB-9-1091
level: INFO
msg: null
ts: 2016-04-06T22:39:06.8099873Z
user: sangupta
workbook: Team Responsible - Low
}
Show as raw text
↧