topic Re: json file line break in Splunk Dev

json file line break

sarit_s — Sun, 05 Dec 2021 10:26:21 GMT

Hello

i have a json log and i cannot figure out how to break the lines correctly

this is how it looks like :

how can i break the lines that each event will be on is own ?

Re: json file line break

PickleRick — Sun, 05 Dec 2021 11:40:11 GMT

Break on date, set proper time format and time prefix?

Re: json file line break

sarit_s — Sun, 05 Dec 2021 11:53:14 GMT

yes, you can see it is the image attached

Re: json file line break

PickleRick — Sun, 05 Dec 2021 12:21:54 GMT

Yes, but I don't see your time format definition. And it's definitely wrong since the time in raw event is different than the event time in splunk.

You could set TIME_PREFIX as well.

Re: json file line break

sarit_s — Sun, 05 Dec 2021 12:22:47 GMT

as you can see, it consider 2 events as one for some reason

Re: json file line break

ITWhisperer — Sun, 05 Dec 2021 13:22:39 GMT

Since you have 4-digit years, would this work better for the break before pattern?

^\d\d(\d\d\D){6}\S

Re: json file line break

sarit_s — Sun, 05 Dec 2021 13:42:17 GMT

thanks

Re: json file line break

PickleRick — Sun, 05 Dec 2021 14:05:13 GMT

I still believe there is something not entirely right with your timestamp recognition. True, in the second screenshot the timestamp "seems" to be right. But.

From the time format you're using, I presume you're somewhere in the US and your local timezone is not GMT. Your event's timestamp is GMT, so...

Anyway, if your logs are reporting time in GMT when they should do in your local time, you have another problem to resolve before you hit some issues with time inconsistency later on.