From twitter input to Splunk HTTP Event collector

drosys · June 13, 2018, 11:47am

Dear All,
I am trying to send twitter input data to HTTP Event collector of Splunk.
The main issue is that twitter input plugin generate a JSON object which needs to be modified to become a "value" of the key "event".
Example:
twitter-input generate:
{"bb": "xxxx", "c": {"z": 3, "h":u } }

The previous output cannot be sent to Splunk this way... Indeed it needs to be converted to:

{"event": {"bb": "xxxx", "c": {"z": 3, "h":u } } }

I can't find any solution to perform this operation...

For me there are 2 possibilities which I cannot find an easy way to implement:

Modify the JSON structure through a filter and copy the whole event inside a field ?
Can't find how to get the full JSON info as a variable ?
At the output time:
Prefix the message with:
'{"event": '
And suffix the message to:
'}'

Any solution for that ?
All the exemple found on the forum are based on the fact that the Input generates a "string" object which can obviously be manipulated with grok etc...

Thanks in advance for your help !

jakelandis · June 13, 2018, 10:02pm

I think this will shape the JSON the way you want:

filter {
	json {
     	source => message
     	target => event
     	remove_field => ["message", "@version", "@timestamp"]
  	}
  }

Input:

{"bb": "xxxx", "c": {"z": 3, "h": "u" } }

Output:

{"event":{"bb":"xxxx","c":{"h":"u","z":3}}}

system · July 11, 2018, 10:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.