topic How to Split JSON Array into Multiple Events using configuration ? in Splunk Dev

How to Split JSON Array into Multiple Events using configuration ?

karajada94 — Tue, 04 Dec 2018 09:42:29 GMT

    {
     "cluster_call_quality":{
      "crPartyId" : "12345",
      "cluster_call_quality_summary":
        [
            {
              "clusterId":"Cluster1",
              "date":"2018-10-03",
              "totalNumberOfCalls":2000,
              "failedCalls" : 1000,
              "degradedCalls":200,
              "failedCallsPercentage" : 50,
              "degradedCallsPercentage":10
            },
            {
              "clusterId":"Cluster2",
              "date":"2018-11-04",
              "totalNumberOfCalls":1200,
              "failedCalls" : 400,
              "degradedCalls":300,
              "failedCallsPercentage" : 33,
              "degradedCallsPercentage":25
            },
            {
              "clusterId":"Cluster3",
              "date":"2018-12-05",
              "totalNumberOfCalls":700,
              "failedCalls" : 350,
              "degradedCalls":100,
              "failedCallsPercentage" : 50,
              "degradedCallsPercentage":14
            }
        ]
    }

    }



Output:-
3 events should come
with each events like below:-

 {
           "clusterId":"Cluster1",
           "date":"2018-10-03",
           "totalNumberOfCalls":2000,
           "failedCalls" : 1000,
           "degradedCalls":200,
           "failedCallsPercentage" : 50,
           "degradedCallsPercentage":10
         }

Re: How to Split JSON Array into Multiple Events using configuration ?

kamlesh_vaghela — Tue, 04 Dec 2018 14:26:48 GMT

@karajada94

Basically, you have to add below configuration in props.conf.

[YOUR_SOURCETYPE]
BREAK_ONLY_BEFORE = (\{|\[\s+{)
DATETIME_CONFIG = 
MUST_BREAK_AFTER = (\}|\}\s+\])
NO_BINARY_CHECK = true
SEDCMD-a = s/(^\{)//g
SEDCMD-b = s/(.*cucm_cluster_call_quality.*)//g
SEDCMD-c = s/(.*crPartyId.*)//g
SEDCMD-d = s/(.*cucm_cluster_call_quality_summary.*)//g
SEDCMD-e = s/(.*[\[|\]].*)//g
SEDCMD-f = s/(\n})//g
SEDCMD-h = s/}(,)/}/g
SEDCMD-i = s/(^(?:[\t ]*(?:\r?\n|\r))+)//g
SEDCMD-j = s/(^}$)//g
SEDCMD-k = s/(\s)//g
category = Structured
disabled = false
pulldown_type = true

Can you please try and let me know?

Re: How to Split JSON Array into Multiple Events using configuration ?

FrankVl — Tue, 04 Dec 2018 14:51:41 GMT

Use this line breaker config in props.conf

SHOULD_LINEMERGE = false
LINE_BREAKER = (?:\[([\r\n\s]+))|(?:\}(,[\r\n\s]+)\{)|(?:([\r\n\s]+)\])

Which splits of the header, splits the events and splits off the footer closing brackets. You can then add some props and transforms to drop the header and footer bits.

props.conf:

TRANSFORMS-setnull = json-drop-all,json-accept-real

transforms.conf:

[json-drop-all]
REGEX = .*
DEST_KEY = queue
FORMAT = nullQueue

[json-accept-real]
REGEX = clusterId
DEST_KEY = queue
FORMAT = indexQueue