https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340084#M62744 <P>Can you try taking a complete event (ideally a selection of events) and run them through a JSon validator like <A href="https://jsonlint.com">https://jsonlint.com</A></P> Mon, 18 Dec 2017 09:05:57 GMT nickhills 2017-12-18T09:05:57Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340073#M62733 <P>Here's the format of the data i have been working on. i've tried using INDEXED_EXTRACTIONS=JSON in props but the event data is lesser than expected.</P> <PRE><CODE> { "d": { "results": [{ "__metadata": { "id": "http://sapuri('123456789')", "uri": "sapuri('123456789')", "type": "sapuri" }, "DATETIME": "05/05/2016 18:34:40", "System_ID": "DE1", "Client_ID": "200", "SO_Datetime": "05/05/2016 18:34:40", "SO_Number": "123456789", "SO_Item": "000010", "SO_Type": "ANOR", "PO_Num": "", "Sales_Organization": "NP01", "Distribution_Channel": "01", "Division": "01", "Sales_Office": "", "Sales_Group": "", "Delivery_Block": "", "Requested_Delivery_Date": "05/05/2016", "Order_Reason": "301", "Header_Net_Value": " 100.00", "Currency": "USD", "Product_Number": "000000000000123456", "Product_Description": "sample-product description", "Order_Quantity": " 1.000", "Sales_Unit": "DOS", "Item_Net_Value": " 100.00", "Cost_Value": " 0.00", "Tax_Value": " 7.00", "Rejection_Code": "", "Billing_Block": "", "Pricing_Procedure": "SAMPLE", "PO_Type": "SAMP", "Cust_Material": "", "Item_Category": "SAMP", "Delivery_Quantity": "0.000 ", "Confirmed_Quantity": "1.000 ", "Plant": "7001", "Customer_Number": "2000010281", "Address_Code": "0002429053", "Customer_Name": "abcdefghijklmnop", "House_Number": "", "Street": "qrstuvwxyz", "City": "MIAMI", "Region": "FL", "Country_Code": "US", "Post_Code": "33586-2008", "Status_Txt": "Billed", "Status_ID": "4", "DN_Number": "", "DN_Item": "", "DN_Date": "", "DN_Item_Date": "", "DN_Material_Num": "", "DN_Quantity": "", "DN_Werks": "", "DN_Point": "", "DN_Type": "", "DN_Route": "", "DN_Bill_Lading": "", "DN_Shipping_Date": "", "DN_Ext_Delivery_Num": "", "DN_Route_Schedule": "", "DN_Billing_Date": "", "Bill_Doc": "8123456727", "Bill_Item": "123410", "Bill_Fiscal_Year": "0000", "Bill_Company_Code": "2250", "Bill_Sales_Org": "AB01", "Bill_Dist_Channel": "01", "Bill_Quantity": "1.000 ", "Bill_Sales_Unit": "DOS", "Bill_Material_Num": "00123456000102970", "Bill_Type": "aNF1", "Bill_Date": "12/05/2016", "Bill_Createdate": "05/05/2016 18:38:56", "Bill_Item_date": "05/05/2016 18:38:56", "Bill_Net_Value": "300.00 ", "Bill_Payer": "4000014278", "Bill_Sold_To_Party": "2000010281", "Bill_Cancelled": "", "Bill_Ref_Doc": "123457178913", "Bill_Sales_Doc": "11235678113", "Bill_Plant": "7001", "Bill_Item_Net_Value": "100.00 ", "Accounting_Number": "" } ] } } </CODE></PRE> Thu, 14 Dec 2017 07:58:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340073#M62733 splunkt0n 2017-12-14T07:58:30Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340074#M62734 <P>What does you data look like once its been indexed? - Is it properly rendered as json in search?</P> Thu, 14 Dec 2017 08:19:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340074#M62734 nickhills 2017-12-14T08:19:17Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340075#M62735 <P>Hi nickhillscpl,</P> <P>no it wasn't rendered as json, but the fields were extracted properly and the number of events does not match.</P> Thu, 14 Dec 2017 08:23:24 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340075#M62735 splunkt0n 2017-12-14T08:23:24Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340076#M62736 <P>How many events are included in each json block?<BR /> Since you individual list of keys is quite large, if you list has more than a few items, its possible you are tripping the line breaker limit, which will render the json as a big block of unformatted text in search, and will not extract all items.</P> <P>Try this search to confirm:<BR /> index=_internal LineBreakingProcessor Truncating</P> Thu, 14 Dec 2017 08:41:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340076#M62736 nickhills 2017-12-14T08:41:25Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340077#M62737 <P>Thanks for this, yep it looks like it exceeds the limit. how can I increase the limit of the line breaker?</P> Thu, 14 Dec 2017 08:47:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340077#M62737 splunkt0n 2017-12-14T08:47:14Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340078#M62738 <P>In your props.conf on the heavy forwarder/indexer add <CODE>TRUNCATE = 0</CODE> which removes the limit.</P> <P>Obviously, you should keep an eye on this, because massive numbers of events can impact performance, so ideally you would set the truncate value to something just above your maximum anticipated size.</P> Thu, 14 Dec 2017 08:51:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340078#M62738 nickhills 2017-12-14T08:51:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340079#M62739 <P>Thanks nick, i've added a TRUNCATE in the props.conf and the linebreaking warning is gone. but in the sourcetype preview all events are in the same row and i'm seeing just one row.</P> Thu, 14 Dec 2017 09:02:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340079#M62739 splunkt0n 2017-12-14T09:02:34Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340080#M62740 <P>You might need to configure a linebreaker regex if Splunk cant spot the different events.</P> <P>You could try <CODE>LINE_BREAKER = (\}\]\}\})</CODE> </P> <P>Which will look for the closing parentheses <CODE>}]}}</CODE> and then create a new event.<BR /> NB if your json has spaces you may need to adjust the regex accordingly </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Line_breaking">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Line_breaking</A></P> Thu, 14 Dec 2017 09:16:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340080#M62740 nickhills 2017-12-14T09:16:43Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340081#M62741 <P>Hi splunkt0n,</P> <P>You can make the following changes in your props.conf:</P> <P>[sourcetype]<BR /> INDEXED_EXTRACTIONS = NONE<BR /> KV_MODE = json<BR /> TRUNCATE = 0<BR /> MUST_BREAK_AFTER = ]</P> <P>Let me know if this helps!!!</P> Tue, 29 Sep 2020 17:14:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340081#M62741 deepashri_123 2020-09-29T17:14:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340082#M62742 <P>thanks Nick, but this doesn't work either</P> Mon, 18 Dec 2017 08:13:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340082#M62742 splunkt0n 2017-12-18T08:13:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340083#M62743 <P>Thanks mate! but this doesn't work.</P> Mon, 18 Dec 2017 08:14:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340083#M62743 splunkt0n 2017-12-18T08:14:45Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340084#M62744 <P>Can you try taking a complete event (ideally a selection of events) and run them through a JSon validator like <A href="https://jsonlint.com">https://jsonlint.com</A></P> Mon, 18 Dec 2017 09:05:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340084#M62744 nickhills 2017-12-18T09:05:57Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340085#M62745 <P>Hi,</P> <P>Please try below settings in props.conf:</P> <P>[sourcetype]<BR /> BREAK_ONLY_BEFORE = ^{<BR /> DATETIME_CONFIG =<BR /> NO_BINARY_CHECK = true<BR /> TIME_PREFIX = "DATETIME": "</P> Tue, 29 Sep 2020 17:28:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-full-json-data-and-automatically-extract-fields/m-p/340085#M62745 p_gurav 2020-09-29T17:28:18Z