https://community.splunk.com/t5/Getting-Data-In/Event-Break-JSON/m-p/73214#M14990 <P>Where did you specify this logic? In your $SPUNK_HOME/etc/system/local/props.conf? That's where I'm trying to define this logic to get my events correct when using the Splunk Forwarder, but not having any success. <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Thu, 09 Apr 2015 15:38:53 GMT sbitterman 2015-04-09T15:38:53Z https://community.splunk.com/t5/Getting-Data-In/Event-Break-JSON/m-p/73210#M14986 <P>Hi, I am trying to ingest JSON data into Splunk but I am having difficulties setting up the event breaks. What is the best way to do this?</P> Mon, 25 Mar 2013 09:25:54 GMT https://community.splunk.com/t5/Getting-Data-In/Event-Break-JSON/m-p/73210#M14986 thufirtan 2013-03-25T09:25:54Z https://community.splunk.com/t5/Getting-Data-In/Event-Break-JSON/m-p/73211#M14987 <P>Assuming that each json event blob starts on a new line with an opening brace <CODE>{</CODE> Then this seems to be working for me:</P> <PRE><CODE>[json] KV_MODE = json LINE_BREAKER = "(^){" NO_BINARY_CHECK = 1 TRUNCATE = 0 SHOULD_LINEMERGE = false </CODE></PRE> Sat, 29 Jun 2013 16:08:29 GMT https://community.splunk.com/t5/Getting-Data-In/Event-Break-JSON/m-p/73211#M14987 Jordan_Brough 2013-06-29T16:08:29Z https://community.splunk.com/t5/Getting-Data-In/Event-Break-JSON/m-p/73212#M14988 <P>Worked for me ! Json object is not splitted in several events .</P> Thu, 03 Oct 2013 14:05:25 GMT https://community.splunk.com/t5/Getting-Data-In/Event-Break-JSON/m-p/73212#M14988 niordache 2013-10-03T14:05:25Z https://community.splunk.com/t5/Getting-Data-In/Event-Break-JSON/m-p/73213#M14989 <P>I used this approach to address my question:</P> <P><A href="http://answers.splunk.com/answers/121098/iterate-the-extraction-of-json-objects-using-splunk-query-language">http://answers.splunk.com/answers/121098/iterate-the-extraction-of-json-objects-using-splunk-query-language</A></P> <P>However, I think that this approach has the problem that the json objects are not split into events. Therefore, any aggregation function will not work as expected. Any idea?</P> Wed, 19 Feb 2014 15:20:09 GMT https://community.splunk.com/t5/Getting-Data-In/Event-Break-JSON/m-p/73213#M14989 lpolo 2014-02-19T15:20:09Z https://community.splunk.com/t5/Getting-Data-In/Event-Break-JSON/m-p/73214#M14990 <P>Where did you specify this logic? In your $SPUNK_HOME/etc/system/local/props.conf? That's where I'm trying to define this logic to get my events correct when using the Splunk Forwarder, but not having any success. <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Thu, 09 Apr 2015 15:38:53 GMT https://community.splunk.com/t5/Getting-Data-In/Event-Break-JSON/m-p/73214#M14990 sbitterman 2015-04-09T15:38:53Z https://community.splunk.com/t5/Getting-Data-In/Event-Break-JSON/m-p/73215#M14991 <P>I would really like to know the answer to this as we are having the same problem. We are using the splunk cloud and do not know where to put this logic. On a config file on the cloud server?</P> Wed, 01 Jul 2015 23:55:55 GMT https://community.splunk.com/t5/Getting-Data-In/Event-Break-JSON/m-p/73215#M14991 RaistlinLinden 2015-07-01T23:55:55Z https://community.splunk.com/t5/Getting-Data-In/Event-Break-JSON/m-p/73216#M14992 <P>$SPLUNK_HOME/etc/system/local/props.conf</P> Wed, 05 Oct 2016 18:19:10 GMT https://community.splunk.com/t5/Getting-Data-In/Event-Break-JSON/m-p/73216#M14992 mjoseff_splunk 2016-10-05T18:19:10Z