Splunk | Create your data source

Create a custom data source to support the Splunk Perfecto Connector library.

When submitting data to the HEC and using JSON as the data source, the fields of the JSON file are not extracted and mapped by Splunk. You can correct this issue by defining a custom data source that will automatically handle the extraction of the fields. This data source configuration was found on the GitHub page here, and we were able to leverage this to accommodate our process.

Important: This document includes references to a third-party product, Splunk. The user interface and usage of third-party products are subject to change without notice. For the latest published information about Splunk, see https://docs.splunk.com/Documentation.

To set up the data source:

  1. Click Settings and then Source types.

  2. Click New Source Type.

  3. Set the Name and Description of the Source Type and change the Index Extractions to json.

  4. Select Advanced and then add New Settings.

  5. Add 3 new settings that match the ones in the following table.

    Name

    Value

    EXTRACT-QUOTED-KVPS

    (?:\\r\\n)?(?:\\n)?(?:\\t)?(?<_KEY_1>[a-zA-Z0-9._]+)=\\\"(?<_VAL_1>[A-Z0-9_\s:;!@#$%^&*()\/[\]{}|+.~,'\-]+)\\\"

    EXTRACT-UNQUOTED-KVPS

    (?:\\r\\n)?(?:\\n)?(?:\\t)?(?<_KEY_2>[a-zA-Z0-9._]+)=(?<_VAL_2>[a-zA-Z0-9_:;!@#$%^&*()\/[\]{}|+.~'\-]+)

    KV_MODE

    json

  6. Click Save.