https://community.splunk.com/t5/Getting-Data-In/Multiple-Json-types-in-one-file-How-do-i-get-data-into-Splunk/m-p/302541#M57153 <P>If the source can be edited to write to different files per sourcetype that is most ideal.</P> <P>Another option that doesn't involve the universal forwarder is ingest the file using python and send to Splunk HTTP Event collector. A bit more complex but more flexible than doing regex routing at indexers.</P> Wed, 04 Apr 2018 16:05:57 GMT starcher 2018-04-04T16:05:57Z https://community.splunk.com/t5/Getting-Data-In/Multiple-Json-types-in-one-file-How-do-i-get-data-into-Splunk/m-p/302537#M57149 <P>Hi</P> <P>I have one file with multiple JSON types in it.<BR /> What is the best way to get this data into Splunk.<BR /> I dont think i can use a universal forwarder as i cant specify the sourcetype as i is multiple.</P> <P>Someone said use a heavy forward and do the work of splitting the data into different source types before i send it. </P> <P>Is this the correct approach?</P> <P>Thanks <BR /> Robert Lynch</P> Wed, 04 Apr 2018 05:05:49 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-Json-types-in-one-file-How-do-i-get-data-into-Splunk/m-p/302537#M57149 robertlynch2020 2018-04-04T05:05:49Z https://community.splunk.com/t5/Getting-Data-In/Multiple-Json-types-in-one-file-How-do-i-get-data-into-Splunk/m-p/302538#M57150 <P><CODE>spath</CODE> command, it will do that for you, you may refer to the below link for using spath</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/spath">http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/spath</A></P> Wed, 04 Apr 2018 05:50:45 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-Json-types-in-one-file-How-do-i-get-data-into-Splunk/m-p/302538#M57150 splunker12er 2018-04-04T05:50:45Z https://community.splunk.com/t5/Getting-Data-In/Multiple-Json-types-in-one-file-How-do-i-get-data-into-Splunk/m-p/302539#M57151 <P>This may help you:</P> <P><A href="https://answers.splunk.com/answers/567087/how-to-split-data-into-separate-sourcetypes-with-t.html">https://answers.splunk.com/answers/567087/how-to-split-data-into-separate-sourcetypes-with-t.html</A></P> Wed, 04 Apr 2018 06:44:36 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-Json-types-in-one-file-How-do-i-get-data-into-Splunk/m-p/302539#M57151 p_gurav 2018-04-04T06:44:36Z https://community.splunk.com/t5/Getting-Data-In/Multiple-Json-types-in-one-file-How-do-i-get-data-into-Splunk/m-p/302540#M57152 <P>@robertlynch2020, your indexer can also do this job, but better approach like you have said is to use heavy forward to set different sourcetype based on different JSON from the same source through props.conf and transforms.conf for sourcetype override.</P> <P>Refer to Splunk Documentation : <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides#Example:_Assign_a_source_type_to_events_from_a_single_input_but_different_hosts">http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides#Example:_Assign_a_source_type_to_events_from_a_single_input_but_different_hosts</A></P> <P>And Splunk Blog: <A href="https://www.splunk.com/blog/2010/02/11/sourcetypes-gone-wild.html">https://www.splunk.com/blog/2010/02/11/sourcetypes-gone-wild.html</A></P> Wed, 04 Apr 2018 13:11:03 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-Json-types-in-one-file-How-do-i-get-data-into-Splunk/m-p/302540#M57152 niketn 2018-04-04T13:11:03Z https://community.splunk.com/t5/Getting-Data-In/Multiple-Json-types-in-one-file-How-do-i-get-data-into-Splunk/m-p/302541#M57153 <P>If the source can be edited to write to different files per sourcetype that is most ideal.</P> <P>Another option that doesn't involve the universal forwarder is ingest the file using python and send to Splunk HTTP Event collector. A bit more complex but more flexible than doing regex routing at indexers.</P> Wed, 04 Apr 2018 16:05:57 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-Json-types-in-one-file-How-do-i-get-data-into-Splunk/m-p/302541#M57153 starcher 2018-04-04T16:05:57Z https://community.splunk.com/t5/Getting-Data-In/Multiple-Json-types-in-one-file-How-do-i-get-data-into-Splunk/m-p/302542#M57154 <P>Hi</P> <P>Thanks, this is the answer i went with <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 05 Apr 2018 09:45:20 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-Json-types-in-one-file-How-do-i-get-data-into-Splunk/m-p/302542#M57154 robertlynch2020 2018-04-05T09:45:20Z https://community.splunk.com/t5/Getting-Data-In/Multiple-Json-types-in-one-file-How-do-i-get-data-into-Splunk/m-p/302543#M57155 <P>Hi</P> <P>This is the answer that i went with</P> <P><A href="https://answers.splunk.com/answers/567087/how-to-split-data-into-separate-sourcetypes-with-t.html">https://answers.splunk.com/answers/567087/how-to-split-data-into-separate-sourcetypes-with-t.html</A></P> <P>Cheers to all <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 05 Apr 2018 09:45:49 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-Json-types-in-one-file-How-do-i-get-data-into-Splunk/m-p/302543#M57155 robertlynch2020 2018-04-05T09:45:49Z