https://community.splunk.com/t5/Getting-Data-In/Split-json-array-of-objects-into-multiple-events/m-p/382402#M68935 <P>We have data structured in the following format:</P> <PRE><CODE>[ { "container_id": "1", "executor_id": "1", "framework_id": "2", "statistics": { "cpus_limit": 1, "cpus_nr_periods": 1 }, "status": { "container_id": { "value": "123" } } }, { "container_id": "2", "executor_id": "1", "framework_id": "3", "statistics": { "cpus_limit": 1.1, "cpus_nr_periods": 2 }, "status": { "container_id": { "value": "124" } } } ] </CODE></PRE> <P>We would like to split it into seperate events in a way that we end up with:</P> <P><STRONG>Event 1</STRONG></P> <PRE><CODE> { "container_id": "1", "executor_id": "1", "framework_id": "2", "statistics": { "cpus_limit": 1, "cpus_nr_periods": 1 }, "status": { "container_id": { "value": "123" } } } </CODE></PRE> <P><STRONG>Event 2</STRONG></P> <PRE><CODE>{ "container_id": "2", "executor_id": "1", "framework_id": "3", "statistics": { "cpus_limit": 1.1, "cpus_nr_periods": 2 }, "status": { "container_id": { "value": "124" } } } </CODE></PRE> <P>We can not do a split by '},' as this would also split on </P> <BLOCKQUOTE> <P>"cpus_nr_periods": <STRONG>},</STRONG> "status": {</P> </BLOCKQUOTE> <P>Is there any way we can split those events (on index time)</P> Tue, 29 Sep 2020 21:58:02 GMT sboogaar 2020-09-29T21:58:02Z https://community.splunk.com/t5/Getting-Data-In/Split-json-array-of-objects-into-multiple-events/m-p/382402#M68935 <P>We have data structured in the following format:</P> <PRE><CODE>[ { "container_id": "1", "executor_id": "1", "framework_id": "2", "statistics": { "cpus_limit": 1, "cpus_nr_periods": 1 }, "status": { "container_id": { "value": "123" } } }, { "container_id": "2", "executor_id": "1", "framework_id": "3", "statistics": { "cpus_limit": 1.1, "cpus_nr_periods": 2 }, "status": { "container_id": { "value": "124" } } } ] </CODE></PRE> <P>We would like to split it into seperate events in a way that we end up with:</P> <P><STRONG>Event 1</STRONG></P> <PRE><CODE> { "container_id": "1", "executor_id": "1", "framework_id": "2", "statistics": { "cpus_limit": 1, "cpus_nr_periods": 1 }, "status": { "container_id": { "value": "123" } } } </CODE></PRE> <P><STRONG>Event 2</STRONG></P> <PRE><CODE>{ "container_id": "2", "executor_id": "1", "framework_id": "3", "statistics": { "cpus_limit": 1.1, "cpus_nr_periods": 2 }, "status": { "container_id": { "value": "124" } } } </CODE></PRE> <P>We can not do a split by '},' as this would also split on </P> <BLOCKQUOTE> <P>"cpus_nr_periods": <STRONG>},</STRONG> "status": {</P> </BLOCKQUOTE> <P>Is there any way we can split those events (on index time)</P> Tue, 29 Sep 2020 21:58:02 GMT https://community.splunk.com/t5/Getting-Data-In/Split-json-array-of-objects-into-multiple-events/m-p/382402#M68935 sboogaar 2020-09-29T21:58:02Z https://community.splunk.com/t5/Getting-Data-In/Split-json-array-of-objects-into-multiple-events/m-p/382403#M68936 <P>Assuming your data isn't actually prettyprinted, you can have <CODE>LINE_BREAKER = \}(,)\{</CODE> in your props.conf, alongside <CODE>SHOULD_LINEMERGE = false</CODE>. If your data is prettyprinted you'll need to allow whitespace between the comma and the opening curly brace.</P> Mon, 12 Nov 2018 23:14:48 GMT https://community.splunk.com/t5/Getting-Data-In/Split-json-array-of-objects-into-multiple-events/m-p/382403#M68936 martin_mueller 2018-11-12T23:14:48Z https://community.splunk.com/t5/Getting-Data-In/Split-json-array-of-objects-into-multiple-events/m-p/382404#M68937 <P>It is formatted exactly as I posted. I dont see how the linebreaker would work <A href="https://regexr.com/43084">https://regexr.com/43084</A>. We are not in control of the format as it is a response of a call to a DC/OS api</P> Tue, 13 Nov 2018 08:45:59 GMT https://community.splunk.com/t5/Getting-Data-In/Split-json-array-of-objects-into-multiple-events/m-p/382404#M68937 sboogaar 2018-11-13T08:45:59Z https://community.splunk.com/t5/Getting-Data-In/Split-json-array-of-objects-into-multiple-events/m-p/382405#M68938 <P>If your data is prettyprinted you'll need to allow whitespace between the comma and the opening curly brace.</P> <PRE><CODE>\}(,\s*)\{ </CODE></PRE> Tue, 13 Nov 2018 09:09:00 GMT https://community.splunk.com/t5/Getting-Data-In/Split-json-array-of-objects-into-multiple-events/m-p/382405#M68938 martin_mueller 2018-11-13T09:09:00Z