https://community.splunk.com/t5/Getting-Data-In/How-to-split-the-following-JSON-into-different-events/m-p/341419#M62910 <P>Is this just a file on disk, or is it coming from some code somewhere? If so, a few things will need to happen:</P> <P>1) Strip out the header<BR /> 2) Define a line breaker<BR /> 3) Strip out the footer (closing square bracket and curly brace)</P> <P>This <CODE>props.conf</CODE> <EM>may</EM> work (it is hard to tell without a complete sample):</P> <PRE><CODE>[myJSON] SEDCMD-remove_header = s/^(?:.*\n){1,3}//g SEDCMD-remove_footer = s/\][\r\n]\s*\}.*$//g LINE_BREAKER = \}(\s*,[\r\n]\s*)\{ </CODE></PRE> <P>It is a best practice to have some time formatting in your <CODE>props.conf</CODE> also, but I don't see anything that looks like a timestamp.</P> Wed, 18 Apr 2018 19:34:05 GMT jconger 2018-04-18T19:34:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-split-the-following-JSON-into-different-events/m-p/341418#M62909 <P>Hello All,<BR /> Im a newbie to JSON and have pretty much no knowledge in programming. Can someone please assist in splitting the following json into diffrent events (split events). I have removed some details from JSON in compliance with the community rules, and rest of it is pretty much just dummy data.</P> <PRE><CODE>{ "STATUS":"OK", "todo-items":[ { "id":17223591, "canComplete":true, "comments-count":0, "description":"", "has-reminders":false, "has-unread-comments":false, "private":2, "content":"Map Indexed Data of Windows Servers to Windows Infrastructure App", "order":2000, "project-id":353705, "project-name":"IT18-03-IT Dashboarding System", "todo-list-id":1533948, "todo-list-name":"Phase Two", "tasklist-private":true, "tasklist-isTemplate":false, "status":"new", "company-name":"TECIT", "company-id":103131, "creator-id":316954, "creator-firstname":"3333", "creator-lastname":"33333", "completed":false, "start-date":"20180325", "due-date-base":"20180415", "due-date":"20180415", "created-on":"2018-02-21T05:53:40Z", "last-changed-on":"2018-03-29T11:41:56Z", "position":2000, "estimated-minutes":0, "priority":"", "progress":0, "harvest-enabled":false, "parentTaskId":"17223590", "lockdownId":"806894", "tasklist-lockdownId":"806894", "has-dependencies":2, "has-predecessors":0, "hasTickets":false, "timeIsLogged":"0", "attachments-count":0, "responsible-party-ids":"317122,316954", "responsible-party-id":"317122,316954", "responsible-party-names":"Projects T.|3333.", "responsible-party-type":"Person", "responsible-party-firstname":"33333", "responsible-party-lastname":"3333", "responsible-party-summary":"You + 1 other", "predecessors":[ ], "parent-task":{ "content":"Customization - Infrastructure Log Monitoring / HW", "id":"17223590" }, "canEdit":true, "viewEstimatedTime":true, "canLogTime":false, "userFollowingComments":false, "userFollowingChanges":false, "DLM":0 }, { "id":17223405, "canComplete":false, "comments-count":1, "description":"", "has-reminders":false, "has-unread-comments":false, "private":2, "content":"fdfdfdfdfdfd", "order":2000, "project-id":353705, "project-name":"asdf", "todo-list-id":1533948, "todo-list-name":"Phase Two", "tasklist-private":true, "tasklist-isTemplate":false, "status":"new", "company-name":"asdasd", "company-id":103131, "creator-id":316954, "creator-firstname":"3333", "creator-lastname":"333333", "completed":false, "start-date":"20180227", "due-date-base":"20180408", "due-date":"20180408", "created-on":"2018-02-21T04:42:49Z", "last-changed-on":"2018-03-29T10:34:36Z", "position":2000, "estimated-minutes":0, "priority":"", "progress":0, "harvest-enabled":false, "parentTaskId":"17223403", "lockdownId":"806894", "tasklist-lockdownId":"806894", "has-dependencies":2, "has-predecessors":0, "hasTickets":false, "timeIsLogged":"0", "attachments-count":0, "responsible-party-ids":"221525", "responsible-party-id":"221525", "responsible-party-names":"3333A.", "responsible-party-type":"Person", "responsible-party-firstname":"3333", "responsible-party-lastname":"Al33i", "responsible-party-summary":"3333A.", "predecessors":[ ], "parent-task":{ "content":"Work Package 3", "id":"17223403" }, "canEdit":false, "viewEstimatedTime":true, "canLogTime":false, "commentFollowerSummary":"You + 2 others", "commentFollowerIds":"221525,316954,317122", "userFollowingComments":true, "userFollowingChanges":false, "DLM":0 }, </CODE></PRE> Wed, 18 Apr 2018 18:48:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-split-the-following-JSON-into-different-events/m-p/341418#M62909 ranjitbrhm1 2018-04-18T18:48:15Z https://community.splunk.com/t5/Getting-Data-In/How-to-split-the-following-JSON-into-different-events/m-p/341419#M62910 <P>Is this just a file on disk, or is it coming from some code somewhere? If so, a few things will need to happen:</P> <P>1) Strip out the header<BR /> 2) Define a line breaker<BR /> 3) Strip out the footer (closing square bracket and curly brace)</P> <P>This <CODE>props.conf</CODE> <EM>may</EM> work (it is hard to tell without a complete sample):</P> <PRE><CODE>[myJSON] SEDCMD-remove_header = s/^(?:.*\n){1,3}//g SEDCMD-remove_footer = s/\][\r\n]\s*\}.*$//g LINE_BREAKER = \}(\s*,[\r\n]\s*)\{ </CODE></PRE> <P>It is a best practice to have some time formatting in your <CODE>props.conf</CODE> also, but I don't see anything that looks like a timestamp.</P> Wed, 18 Apr 2018 19:34:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-split-the-following-JSON-into-different-events/m-p/341419#M62910 jconger 2018-04-18T19:34:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-split-the-following-JSON-into-different-events/m-p/341420#M62911 <P>Thanks for the answer. I am pulling down the json using a curl script and put a continuous monitor in place for this to be injested on to the splunk instance.</P> Wed, 18 Apr 2018 19:48:24 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-split-the-following-JSON-into-different-events/m-p/341420#M62911 ranjitbrhm1 2018-04-18T19:48:24Z https://community.splunk.com/t5/Getting-Data-In/How-to-split-the-following-JSON-into-different-events/m-p/341421#M62912 <P>In that case, I would recommend using the Splunk Add-on Builder which can automate this for you (and break the events without all that regex mentioned above). Here is a walkthrough -&gt; <A href="http://dev.splunk.com/view/addon-builder/SP-CAAAFCA">http://dev.splunk.com/view/addon-builder/SP-CAAAFCA</A> </P> Wed, 18 Apr 2018 20:12:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-split-the-following-JSON-into-different-events/m-p/341421#M62912 jconger 2018-04-18T20:12:30Z https://community.splunk.com/t5/Getting-Data-In/How-to-split-the-following-JSON-into-different-events/m-p/341422#M62913 <P>The updated location of the Splunk Add-on Builder documentation is <A href="https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/UseTheApp">https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/UseTheApp</A></P> Wed, 19 Feb 2020 20:31:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-split-the-following-JSON-into-different-events/m-p/341422#M62913 nkaplan_splunk 2020-02-19T20:31:23Z