<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Sending JSON Data with HTTP:  Events are inconsistent in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Sending-JSON-Data-with-HTTP-Events-are-inconsistent/m-p/23671#M3733</link>
    <description>&lt;P&gt;&lt;CODE&gt;json&lt;/CODE&gt; is not a supported sourcetype, it means that splunk will try to guess the timestamp / linebreaking.&lt;/P&gt;

&lt;P&gt;please try with one of the 3 supported json sourcetypes, probably the third one.&lt;/P&gt;

&lt;UL&gt;
&lt;LI&gt;&lt;CODE&gt;json_no_timestamp&lt;/CODE&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;CODE&gt;json_auto_timestamp&lt;/CODE&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;CODE&gt;json_predefined_timestamp&lt;/CODE&gt;&lt;/LI&gt;
&lt;/UL&gt;

&lt;P&gt;see &lt;A href="http://docs.splunk.com/Documentation/Storm/latest/User/Sourcesandsourcetypes"&gt;http://docs.splunk.com/Documentation/Storm/latest/User/Sourcesandsourcetypes&lt;/A&gt;&lt;/P&gt;</description>
    <pubDate>Wed, 03 Apr 2013 16:59:27 GMT</pubDate>
    <dc:creator>yannK</dc:creator>
    <dc:date>2013-04-03T16:59:27Z</dc:date>
    <item>
      <title>Sending JSON Data with HTTP:  Events are inconsistent</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Sending-JSON-Data-with-HTTP-Events-are-inconsistent/m-p/23670#M3732</link>
      <description>&lt;P&gt;Initially I used the python script to create a log handler to send out JSON formatted log message, but I notice that most of my events had 60 to 70 JSON objects.  Some of my events have a single JSON object, which is what I need.&lt;/P&gt;

&lt;P&gt;Next I made bash script which uses curl to send each message separately and I got the same thing.  I don't understand what's going on here because I'm making a new connection each time ( for each event ) yet sometimes the events are stored as compilations.&lt;/P&gt;

&lt;P&gt;$ head -100 test.log | grep Completed&lt;BR /&gt;
{"instanceID":"i-2a7d3873","timestamp":"634908540715990001","message":"SinterConsumer: Completed"}&lt;BR /&gt;
{"instanceID":"i-287d3871","timestamp":"634908540742893112","message":"SinterConsumer: Completed"}&lt;BR /&gt;
$ cat test.log | grep Completed | wc -l&lt;BR /&gt;
197&lt;/P&gt;

&lt;P&gt;% cat test.log | grep Completed | while read line ; do curl -u x:$TOKEN "&lt;A href="https://api.splunkstorm.com/1/inputs/http?index=XXXXXXXXX&amp;amp;sourcetype=json"&gt;https://api.splunkstorm.com/1/inputs/http?index=XXXXXXXXX&amp;amp;sourcetype=json&lt;/A&gt;" -H "Content-type: text/plain" -d "$LINE"; done&lt;/P&gt;

&lt;P&gt;The problem here is when I do something like:&lt;BR /&gt;
    spath "instanceID" | search "instanceID"="i-2a7d3873"&lt;/P&gt;

&lt;P&gt;I get 6 results ( events ), when in reality there are 197.  I pasted event #2 and event #3 so you I can see what I'm talking about.&lt;/P&gt;

&lt;P&gt;2 »    2/7/13&lt;BR /&gt;
12:01:42.000 AM     &lt;/P&gt;

&lt;P&gt;{"instanceID":"i-2a7d3873","timestamp":"634908540715990001","message":"SinterConsumer: Completed"}&lt;BR /&gt;
{"instanceID":"i-2a7d3873","timestamp":"634908540715990001","message":"SinterConsumer: Completed"}&lt;BR /&gt;
{"instanceID":"i-2a7d3873","timestamp":"634908540715990001","message":"SinterConsumer: Completed"}&lt;BR /&gt;
{"instanceID":"i-2a7d3873","timestamp":"634908540715990001","message":"SinterConsumer: Completed"}&lt;BR /&gt;
{"instanceID":"i-2a7d3873","timestamp":"634908540715990001","message":"SinterConsumer: Completed"}&lt;BR /&gt;
{"instanceID":"i-2a7d3873","timestamp":"634908540715990001","message":"SinterConsumer: Completed"}&lt;BR /&gt;
{"instanceID":"i-2a7d3873","timestamp":"634908540715990001","message":"SinterConsumer: Completed"}&lt;BR /&gt;
{"instanceID":"i-2a7d3873","timestamp":"634908540715990001","message":"SinterConsumer: Completed"}&lt;BR /&gt;
{"instanceID":"i-2a7d3873","timestamp":"634908540715990001","message":"SinterConsumer: Completed"}&lt;BR /&gt;
{"instanceID":"i-2a7d3873","timestamp":"634908540715990001","message":"SinterConsumer: Completed"}&lt;/P&gt;

&lt;P&gt;Show all 67 lines&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;host=....   Options|  
sourcetype=json   Options|  
source=....   Options
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;3   »  2/7/13&lt;BR /&gt;
12:01:35.000 AM     &lt;/P&gt;

&lt;P&gt;{[-]&lt;BR /&gt;
  instanceID : "i-2a7d3873",&lt;BR /&gt;
  message : "SinterConsumer: Completed",&lt;BR /&gt;
  timestamp : "634908540715990001"&lt;BR /&gt;
}&lt;/P&gt;

&lt;P&gt;Show as raw text&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;host=....   Options|  
sourcetype=json   Options|  
source=....   Options
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Thu, 07 Feb 2013 18:51:15 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Sending-JSON-Data-with-HTTP-Events-are-inconsistent/m-p/23670#M3732</guid>
      <dc:creator>boverhof</dc:creator>
      <dc:date>2013-02-07T18:51:15Z</dc:date>
    </item>
    <item>
      <title>Re: Sending JSON Data with HTTP:  Events are inconsistent</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Sending-JSON-Data-with-HTTP-Events-are-inconsistent/m-p/23671#M3733</link>
      <description>&lt;P&gt;&lt;CODE&gt;json&lt;/CODE&gt; is not a supported sourcetype, it means that splunk will try to guess the timestamp / linebreaking.&lt;/P&gt;

&lt;P&gt;please try with one of the 3 supported json sourcetypes, probably the third one.&lt;/P&gt;

&lt;UL&gt;
&lt;LI&gt;&lt;CODE&gt;json_no_timestamp&lt;/CODE&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;CODE&gt;json_auto_timestamp&lt;/CODE&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;CODE&gt;json_predefined_timestamp&lt;/CODE&gt;&lt;/LI&gt;
&lt;/UL&gt;

&lt;P&gt;see &lt;A href="http://docs.splunk.com/Documentation/Storm/latest/User/Sourcesandsourcetypes"&gt;http://docs.splunk.com/Documentation/Storm/latest/User/Sourcesandsourcetypes&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 03 Apr 2013 16:59:27 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Sending-JSON-Data-with-HTTP-Events-are-inconsistent/m-p/23671#M3733</guid>
      <dc:creator>yannK</dc:creator>
      <dc:date>2013-04-03T16:59:27Z</dc:date>
    </item>
  </channel>
</rss>

