<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Need help with complicated Json format in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Need-help-with-complicated-Json-format/m-p/368133#M66883</link>
    <description>&lt;P&gt;"Id" is basically is in unique place in geolocation .&lt;/P&gt;</description>
    <pubDate>Thu, 28 Dec 2017 20:48:28 GMT</pubDate>
    <dc:creator>jrahikasplunk</dc:creator>
    <dc:date>2017-12-28T20:48:28Z</dc:date>
    <item>
      <title>Need help with complicated Json format</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Need-help-with-complicated-Json-format/m-p/368130#M66880</link>
      <description>&lt;P&gt;I've got complicated  structure.&lt;/P&gt;

&lt;P&gt;Start of the log file:&lt;/P&gt;

&lt;P&gt;{&lt;BR /&gt;
  "dataUpdatedTime" : "2017-12-28T12:07:00+02:00",&lt;BR /&gt;
  "links" : [ {&lt;BR /&gt;
    "id" : 27,&lt;BR /&gt;
    "linkMeasurements" : [ {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 329,&lt;BR /&gt;
      "averageSpeed" : 75.851,&lt;BR /&gt;
      "medianTravelTime" : 158,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T05:29:00+02:00"&lt;/P&gt;

&lt;P&gt;.&lt;BR /&gt;
.&lt;BR /&gt;
.&lt;BR /&gt;
.&lt;/P&gt;

&lt;P&gt;}, {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 1289,&lt;BR /&gt;
      "averageSpeed" : 75.374,&lt;BR /&gt;
      "medianTravelTime" : 159,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T21:29:00+02:00"&lt;BR /&gt;
    }, {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 1358,&lt;BR /&gt;
      "averageSpeed" : 72.633,&lt;BR /&gt;
      "medianTravelTime" : 165,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T22:38:00+02:00"&lt;BR /&gt;
    } ],&lt;BR /&gt;
    "measuredTime" : "2017-12-27T22:38:00+02:00"&lt;BR /&gt;
  }, {&lt;BR /&gt;
    "id" : 30,&lt;BR /&gt;
    "linkMeasurements" : [ {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 0,&lt;BR /&gt;
      "averageSpeed" : 43.548,&lt;BR /&gt;
      "medianTravelTime" : 124,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T00:00:00+02:00"&lt;/P&gt;

&lt;P&gt;Notice  that id doesnt change until certain period. How to index events based on id which is unique identifier which how ever doesnt appear in every json array.&lt;/P&gt;</description>
      <pubDate>Thu, 28 Dec 2017 19:54:52 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Need-help-with-complicated-Json-format/m-p/368130#M66880</guid>
      <dc:creator>jrahikasplunk</dc:creator>
      <dc:date>2017-12-28T19:54:52Z</dc:date>
    </item>
    <item>
      <title>Re: Need help with complicated Json format</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Need-help-with-complicated-Json-format/m-p/368131#M66881</link>
      <description>&lt;P&gt;Can you paste a complete json block.&lt;/P&gt;

&lt;P&gt;Ideally confirm its well formed first with &lt;A href="https://jsonlint.com/"&gt;https://jsonlint.com/&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 28 Dec 2017 20:28:11 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Need-help-with-complicated-Json-format/m-p/368131#M66881</guid>
      <dc:creator>nickhills</dc:creator>
      <dc:date>2017-12-28T20:28:11Z</dc:date>
    </item>
    <item>
      <title>Re: Need help with complicated Json format</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Need-help-with-complicated-Json-format/m-p/368132#M66882</link>
      <description>&lt;P&gt;Since the log file is huge in event wise i will not post whole log file, but here is little bit more.&lt;/P&gt;

&lt;P&gt;{&lt;BR /&gt;
  "dataUpdatedTime" : "2017-12-28T12:07:00+02:00",&lt;BR /&gt;
  "links" : [ {&lt;BR /&gt;
    "id" : 27,&lt;BR /&gt;
    "linkMeasurements" : [ {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 329,&lt;BR /&gt;
      "averageSpeed" : 75.851,&lt;BR /&gt;
      "medianTravelTime" : 158,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T05:29:00+02:00"&lt;BR /&gt;
    }, {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 330,&lt;BR /&gt;
      "averageSpeed" : 75.851,&lt;BR /&gt;
      "medianTravelTime" : 158,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T05:30:00+02:00"&lt;BR /&gt;
    }, {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 331,&lt;BR /&gt;
      "averageSpeed" : 75.851,&lt;BR /&gt;
      "medianTravelTime" : 158,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T05:31:00+02:00"&lt;BR /&gt;
    }, {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 332,&lt;BR /&gt;
      "averageSpeed" : 75.851,&lt;BR /&gt;
      "medianTravelTime" : 158,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T05:32:00+02:00"&lt;BR /&gt;
    }, {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 333,&lt;BR /&gt;
      "averageSpeed" : 75.851,&lt;BR /&gt;
      "medianTravelTime" : 158,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T05:33:00+02:00"&lt;BR /&gt;
    }, {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 352,&lt;BR /&gt;
      "averageSpeed" : 83.807,&lt;BR /&gt;
      "medianTravelTime" : 143,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T05:52:00+02:00"&lt;BR /&gt;
    }, {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 353,&lt;BR /&gt;
      "averageSpeed" : 83.807,&lt;BR /&gt;
      "medianTravelTime" : 143,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T05:53:00+02:00"&lt;BR /&gt;
    }, {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 354,&lt;BR /&gt;
      "averageSpeed" : 83.807,&lt;BR /&gt;
      "medianTravelTime" : 143,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T05:54:00+02:00"&lt;BR /&gt;
    }, {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 355,&lt;BR /&gt;
      "averageSpeed" : 83.807,&lt;BR /&gt;
      "medianTravelTime" : 143,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T05:55:00+02:00"&lt;/P&gt;

&lt;P&gt;....&lt;/P&gt;

&lt;P&gt;}, {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 1274,&lt;BR /&gt;
      "averageSpeed" : 70.496,&lt;BR /&gt;
      "medianTravelTime" : 170,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T21:14:00+02:00"&lt;BR /&gt;
    }, {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 1275,&lt;BR /&gt;
      "averageSpeed" : 70.496,&lt;BR /&gt;
      "medianTravelTime" : 170,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T21:15:00+02:00"&lt;BR /&gt;
    }, {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 1276,&lt;BR /&gt;
      "averageSpeed" : 70.496,&lt;BR /&gt;
      "medianTravelTime" : 170,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T21:16:00+02:00"&lt;BR /&gt;
    }, {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 1277,&lt;BR /&gt;
      "averageSpeed" : 70.496,&lt;BR /&gt;
      "medianTravelTime" : 170,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T21:17:00+02:00"&lt;BR /&gt;
    }, {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 1278,&lt;BR /&gt;
      "averageSpeed" : 70.496,&lt;BR /&gt;
      "medianTravelTime" : 170,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T21:18:00+02:00"&lt;BR /&gt;
    }, {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 1287,&lt;BR /&gt;
      "averageSpeed" : 75.374,&lt;BR /&gt;
      "medianTravelTime" : 159,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T21:27:00+02:00"&lt;BR /&gt;
    }, {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 1288,&lt;BR /&gt;
      "averageSpeed" : 75.374,&lt;BR /&gt;
      "medianTravelTime" : 159,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T21:28:00+02:00"&lt;BR /&gt;
    }, {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 1289,&lt;BR /&gt;
      "averageSpeed" : 75.374,&lt;BR /&gt;
      "medianTravelTime" : 159,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T21:29:00+02:00"&lt;BR /&gt;
    }, {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 1358,&lt;BR /&gt;
      "averageSpeed" : 72.633,&lt;BR /&gt;
      "medianTravelTime" : 165,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T22:38:00+02:00"&lt;BR /&gt;
    } ],&lt;BR /&gt;
    "measuredTime" : "2017-12-27T22:38:00+02:00"&lt;BR /&gt;
  }, {&lt;BR /&gt;
    "id" : 30,&lt;BR /&gt;
    "linkMeasurements" : [ {&lt;BR /&gt;
      "fluencyClass" : 5,&lt;BR /&gt;
      "minute" : 0,&lt;BR /&gt;
      "averageSpeed" : 43.548,&lt;BR /&gt;
      "medianTravelTime" : 124,&lt;BR /&gt;
      "measuredTime" : "2017-12-27T00:00:00+02:00"&lt;/P&gt;

&lt;P&gt;You get the idea?&lt;/P&gt;</description>
      <pubDate>Thu, 28 Dec 2017 20:44:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Need-help-with-complicated-Json-format/m-p/368132#M66882</guid>
      <dc:creator>jrahikasplunk</dc:creator>
      <dc:date>2017-12-28T20:44:57Z</dc:date>
    </item>
    <item>
      <title>Re: Need help with complicated Json format</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Need-help-with-complicated-Json-format/m-p/368133#M66883</link>
      <description>&lt;P&gt;"Id" is basically is in unique place in geolocation .&lt;/P&gt;</description>
      <pubDate>Thu, 28 Dec 2017 20:48:28 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Need-help-with-complicated-Json-format/m-p/368133#M66883</guid>
      <dc:creator>jrahikasplunk</dc:creator>
      <dc:date>2017-12-28T20:48:28Z</dc:date>
    </item>
    <item>
      <title>Re: Need help with complicated Json format</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Need-help-with-complicated-Json-format/m-p/368134#M66884</link>
      <description>&lt;P&gt;Are you looking to only index events that have the unique identifier? If that is the case, then you probably want to do something like this:&lt;/P&gt;

&lt;P&gt;&lt;A href="https://answers.splunk.com/answers/477356/how-to-only-index-events-that-contain-specific-fie.html"&gt;https://answers.splunk.com/answers/477356/how-to-only-index-events-that-contain-specific-fie.html&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;If you are looking to index all the JSON files, and then trace events with the same ID, then you probably want to use the TRANSACTION command:&lt;/P&gt;

&lt;P&gt;&lt;A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Transaction"&gt;https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Transaction&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;Note: If you  have a lot of events per ID, you may want to use STATS instead of TRANSACTION.&lt;/P&gt;</description>
      <pubDate>Thu, 28 Dec 2017 21:00:41 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Need-help-with-complicated-Json-format/m-p/368134#M66884</guid>
      <dc:creator>gwalford</dc:creator>
      <dc:date>2017-12-28T21:00:41Z</dc:date>
    </item>
    <item>
      <title>Re: Need help with complicated Json format</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Need-help-with-complicated-Json-format/m-p/368135#M66885</link>
      <description>&lt;P&gt;Assuming i have interpreted your JSON right,,  spath is interpreting correctly:&lt;/P&gt;

&lt;P&gt;I tested with this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| makeresults |eval samplejson="{
    \"dataUpdatedTime\": \"2017-12-28T12:07:00+02:00\",
    \"links\": [{
        \"id\": 27,
        \"linkMeasurements\": [{
            \"fluencyClass\": 5,
            \"minute\": 329,
            \"averageSpeed\": 75.851,
            \"medianTravelTime\": 158,
            \"measuredTime\": \"2017-12-27T05:29:00+02:00\"
        }, {
            \"fluencyClass\": 5,
            \"minute\": 331,
            \"averageSpeed\": 75.851,
            \"medianTravelTime\": 158,
            \"measuredTime\": \"2017-12-27T05:31:00+02:00\"

        }, {
            \"fluencyClass\": 5,
            \"minute\": 354,
            \"averageSpeed\": 83.807,
            \"medianTravelTime\": 143,
            \"measuredTime\": \"2017-12-27T05:54:00+02:00\"
        }],
        \"measuredTime\": \"2017-12-27T22:38:00+02:00\"
    }, {
        \"id\": 30,
        \"linkMeasurements\": [{
            \"fluencyClass\": 5,
            \"minute\": 0,
            \"averageSpeed\": 43.548,
            \"medianTravelTime\": 124,
            \"measuredTime\": \"2017-12-27T00:00:00+02:00\"
        }]
    }]
}"|spath input=samplejson|table *
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I wonder if your issue is truncation - very large Json events which exceed 10,000 bytes can often cause complications.&lt;/P&gt;

&lt;P&gt;Run this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;index=_internal sourcetype=splunkd LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Do you see this for your json sourcetype?&lt;/P&gt;</description>
      <pubDate>Thu, 28 Dec 2017 21:03:35 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Need-help-with-complicated-Json-format/m-p/368135#M66885</guid>
      <dc:creator>nickhills</dc:creator>
      <dc:date>2017-12-28T21:03:35Z</dc:date>
    </item>
  </channel>
</rss>

