https://community.splunk.com/t5/Getting-Data-In/Indexing-Json-objects-to-Splunk/m-p/147903#M30087 <P>For me removing the <CODE>LINE_BREAKER = "(^){"</CODE> from the props.conf file did the trick</P> Wed, 20 Nov 2013 08:53:07 GMT leustean 2013-11-20T08:53:07Z https://community.splunk.com/t5/Getting-Data-In/Indexing-Json-objects-to-Splunk/m-p/147901#M30085 <P>Hi all,</P> <P>Until recently I used to print to standard output a single json object, effectively having it indexed into Splunk and it worked great for me. Each field in the Json object was correctly picked up by Splunk and the Json object was turned into an event.</P> <P>My props.conf looks like :</P> <PRE><CODE>[default] KV_MODE = json LINE_BREAKER = "(^){" NO_BINARY_CHECK = 1 TRUNCATE = 0 SHOULD_LINEMERGE = false [my-source] DATETIME_CONFIG = CURRENT </CODE></PRE> <P>But since I needed to extend the functionality I began printing in a loop several json objects :</P> <PRE><CODE>for st in stats: # Index each json object to Splunk print (json.dumps(st)) sys.stdout.flush() </CODE></PRE> <P>The effect is that now all json objects are mashed up together in a single event no field is detected .</P> <P>Could someone provide input on how to have every Json Object in a separately Event ?</P> <P>Cheers</P> Tue, 19 Nov 2013 15:44:01 GMT https://community.splunk.com/t5/Getting-Data-In/Indexing-Json-objects-to-Splunk/m-p/147901#M30085 leustean 2013-11-19T15:44:01Z https://community.splunk.com/t5/Getting-Data-In/Indexing-Json-objects-to-Splunk/m-p/147902#M30086 <P>I would do it this way:</P> <PRE><CODE>[my-source] DATETIME_CONFIG = CURRENT KV_MODE = json NO_BINARY_CHECK = 1 TRUNCATE = 0 SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE = someregularexpression MAX_EVENTS = 1000 </CODE></PRE> <P>First, I would not put anything in the default stanza unless you mean for it to apply to every input forever. </P> <P>Second, the LINE_BREAKER is longer useful, and Splunk <EM>does</EM> need to line-merge events. So to define the split between events, you need to tell Splunk what to look for. I usually use <CODE>BREAK_ONLY_BEFORE</CODE>, which should be set to a regular expression that matches a string that will only (and always) appear on the first line of each JSON event. Note that regular expression can appear anywhere within the first line - it doesn't have to be at the beginning - and Splunk will still break at the beginning of the line. Finally, <CODE>MAX_EVENTS</CODE> is not really the maximum number of events - it is the maximum number of lines in an event. So I made it larger than the default of 256, but that might not be necessary for you.</P> <P>In the manual, you might want to look at the <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Overviewofeventprocessing" target="_blank">event processing section</A>.</P> Mon, 28 Sep 2020 15:19:07 GMT https://community.splunk.com/t5/Getting-Data-In/Indexing-Json-objects-to-Splunk/m-p/147902#M30086 lguinn2 2020-09-28T15:19:07Z https://community.splunk.com/t5/Getting-Data-In/Indexing-Json-objects-to-Splunk/m-p/147903#M30087 <P>For me removing the <CODE>LINE_BREAKER = "(^){"</CODE> from the props.conf file did the trick</P> Wed, 20 Nov 2013 08:53:07 GMT https://community.splunk.com/t5/Getting-Data-In/Indexing-Json-objects-to-Splunk/m-p/147903#M30087 leustean 2013-11-20T08:53:07Z