JSON Parsing issues

samneo — Fri, 10 Jul 2020 07:37:16 GMT

Im sending a large payload of JSON data to splunk (1000 events) over HEC but when it reaches splunk it does not split the event and thinks its just 1 large event. The JSON is valid but its to do with the first part of the JSON thats the issue. It shows as per the below:

{ "expand": "schema,names", "startAt": 0, "maxResults": 50, "total": 1253, "issues": [

If i remove this manually and then the correlating bottom brackets and send manually, all the events are parsed individually.

The second problem i have is that we are on managed splunk cloud so i dont have access to props.conf to amend the line breaker. Can anyone suggest any other way round this?

Im using spyder python as the middle man to send the load and also testing with postman?

Re: JSON Parsing issues

thambisetty — Sun, 20 Sep 2020 12:14:12 GMT

there could be issue with event format.

Re: JSON Parsing issues

ITWhisperer — Sun, 20 Sep 2020 12:24:49 GMT

Can you modify the payload with your middleman? If not, can you use spath to extract the issues array into a multi value field and then mvexpand to separate them into different events?

topic Re: JSON Parsing issues in Splunk Cloud Platform

JSON Parsing issues

Re: JSON Parsing issues

Re: JSON Parsing issues