topic Re: How can i split a json array in mutiple events? in Getting Data In

How can i split a json array in mutiple events?

Outek — Mon, 07 Mar 2016 10:50:06 GMT

Hello

Im trying to split a json Array into multiple Events in the props.conf
Whats the best way to do this?

Here is the json example:

{
"Applications": [
{
"outputname": "Adobe Flash Player",
"version": "19.0.0.185",
},
{
"outputname": "Adobe Reader",
"version": "1.2.3"
},
{
"outputname": "Attachmate Reflection X",
"version": "14.1.1217",
}
],
"TIMESTAMP": "2016-03-07 09:03:43"
}

What should the props.conf look like to split such a file?
thank you for your suggestions.

Re: How can i split a json array in mutiple events?

somesoni2 — Mon, 07 Mar 2016 17:53:47 GMT

Do you see any issues with ingesting this json array (which also has non-array element (timestamp)) as full event in Splunk? Splunk will convert this json array values to multivalued field and you should be able to report on them easily.

Re: How can i split a json array in mutiple events?

alacercogitatus — Mon, 07 Mar 2016 18:08:08 GMT

There is no props.conf that will split that correctly into other JSON objects. You will need to pre-process with a script or modular input to achieve that.

However, there is a search hack you can do to make reports on the data.

<your_search> | rename Applications{}.* as * | eval z = mvzip(outputname, version) | mvexpand z | eval z = split(z, ",") | eval outputname=mvindex(z,0), version = mvindex(z,1) | stats count by outputname, version

This will allow you to make reports based on the current JSON event.

Re: How can i split a json array in mutiple events?

Outek — Mon, 07 Mar 2016 19:34:05 GMT

I know the way with mvzip/mvexpand, but i thought that there is an easier way. We did some tests with SEDCMD in the props.conf, but im not really satisfied with the results

What do you mean with "pre-process with a script or modular input to achieve that" ?
Should i rewrite the script which is writing the json file to only log each arrayline as single Event?

Re: How can i split a json array in mutiple events?

alacercogitatus — Mon, 07 Mar 2016 19:39:26 GMT

Yes, If you have a script writing out that JSON object, put each item in it's own line. You can put them all in the same file, but Splunk will read them in as individual events.

{ "TIMESTAMP":"2016-03-07 09:03:43", "outputname": "Attachmate Reflection X", "version": "14.1.1217" }
{ "TIMESTAMP":"2016-03-07 09:03:43", "outputname": "Adobe Reader", "version": "1.2.3" }

Re: How can i split a json array in mutiple events?

Outek — Mon, 07 Mar 2016 19:45:09 GMT

I like this approach, i'll give it a try.. Thanks 🙂