https://community.splunk.com/t5/Getting-Data-In/index-unstructured-JSON-file/m-p/419018#M73878 <P>Hi sivaranjiniG,</P> <P>You can try this one </P> <P><STRONG>inputs.conf</STRONG><BR /> [monitor:///var/log/json.log]<BR /> sourcetype = myjson</P> <P><STRONG>props.conf</STRONG><BR /> [myjson]<BR /> REPORT-json = report-json,report-json-kv</P> <P><STRONG>Transforms.conf</STRONG><BR /> [report-json]<BR /><BR /> # This will get the json payload from the logs. <BR /> # Put your specific logic if you need. Below is a very basic logic baed on { bracket<BR /> REGEX = (?P{.+)<BR /> # Manually extract JSON key-value<BR /> [report-json-kv]<BR /><BR /> REGEX = \"(\w+)\":[\s]*\"([^\,}\"]+)<BR /> FORMAT = $1::$2<BR /> MV_ADD = true</P> <P>Original Source : <A href="https://answers.splunk.com/answers/117121/extract-json-data-within-the-logs-json-mixed-with.html">https://answers.splunk.com/answers/117121/extract-json-data-within-the-logs-json-mixed-with.html</A></P> Mon, 08 Oct 2018 02:53:12 GMT iamarkaprabha 2018-10-08T02:53:12Z https://community.splunk.com/t5/Getting-Data-In/index-unstructured-JSON-file/m-p/419016#M73876 <P>i have this following content in my JSON file need to break the event with stats</P> <P>Please Help construct props.conf </P> <P>{<BR /> "type": "AAA",<BR /> "name": "AAA AAA",<BR /> "path": "",<BR /> "pathFormatted": "AAA-AAA-AAA",<BR /> "stats": {<BR /> "name": "Global AAA",<BR /> "numberOfRequests": {<BR /> "total": 175,<BR /> "ok": 167,<BR /> "ko": 8<BR /> },<BR /> "minResponseTime": {<BR /> "total": 147,<BR /> "ok": 147,<BR /> "ko": 179<BR /> },<BR /> "maxResponseTime": {<BR /> "total": 60006,<BR /> "ok": 21336,<BR /> "ko": 60006<BR /> },<BR /> "meanResponseTime": {<BR /> "total": 1869,<BR /> "ok": 1570,<BR /> "ko": 8118<BR /> },<BR /> "standardDeviation": {<BR /> "total": 5150,<BR /> "ok": 2719,<BR /> "ko": 19619<BR /> },<BR /> "percentiles1": {<BR /> "total": 1948,<BR /> "ok": 1958,<BR /> "ko": 1566<BR /> },<BR /> "percentiles2": {<BR /> "total": 2339,<BR /> "ok": 2336,<BR /> "ko": 19133<BR /> },<BR /> "percentiles3": {<BR /> "total": 4868,<BR /> "ok": 4800,<BR /> "ko": 39569<BR /> },<BR /> "percentiles4": {<BR /> "total": 19735,<BR /> "ok": 15398,<BR /> "ko": 55919<BR /> },<BR /> "group1": {<BR /> "name": "t &lt; 5000 ms",<BR /> "count": 161,<BR /> "percentage": 92<BR /> },<BR /> "group2": {<BR /> "name": "5000 ms &lt; t &lt; 7500 ms",<BR /> "count": 1,<BR /> "percentage": 1<BR /> },<BR /> "group3": {<BR /> "name": "t &gt; 7500 ms",<BR /> "count": 5,<BR /> "percentage": 3<BR /> },<BR /> "group4": {<BR /> "name": "failed",<BR /> "count": 8,<BR /> "percentage": 5<BR /> },<BR /> "meanNumberOfRequestsPerSecond": {<BR /> "total": 0.12455516014234876,<BR /> "ok": 0.11886120996441281,<BR /> "ko": 0.0056939501779359435<BR /> }<BR /> },<BR /> "contents": {<BR /> "AAA-AAA": {<BR /> "type": "AAA",<BR /> "name": "AAA",<BR /> "path": "AAA",<BR /> "pathFormatted": "AAA-0f98b",<BR /> "stats": {<BR /> "name": "AAA",<BR /> "numberOfRequests": {<BR /> "total": 5,<BR /> "ok": 5,<BR /> "ko": 0<BR /> },<BR /> "minResponseTime": {<BR /> "total": 4759,<BR /> "ok": 4759,<BR /> "ko": 0<BR /> },<BR /> "maxResponseTime": {<BR /> "total": 5361,<BR /> "ok": 5361,<BR /> "ko": 0<BR /> },<BR /> "meanResponseTime": {<BR /> "total": 4984,<BR /> "ok": 4984,<BR /> "ko": 0<BR /> },<BR /> "standardDeviation": {<BR /> "total": 210,<BR /> "ok": 210,<BR /> "ko": 0<BR /> },<BR /> "percentiles1": {<BR /> "total": 4997,<BR /> "ok": 4997,<BR /> "ko": 0<BR /> },<BR /> "percentiles2": {<BR /> "total": 5215,<BR /> "ok": 5215,<BR /> "ko": 0<BR /> },<BR /> "percentiles3": {<BR /> "total": 5288,<BR /> "ok": 5288,<BR /> "ko": 0<BR /> },<BR /> "percentiles4": {<BR /> "total": 5346,<BR /> "ok": 5346,<BR /> "ko": 0<BR /> },<BR /> "group1": {<BR /> "name": "t &lt; 5000 ms",<BR /> "count": 4,<BR /> "percentage": 80<BR /> },<BR /> "group2": {<BR /> "name": "5000 ms &lt; t &lt; 7500 ms",<BR /> "count": 1,<BR /> "percentage": 20<BR /> },<BR /> "group3": {<BR /> "name": "t &gt; 7500 ms",<BR /> "count": 0,<BR /> "percentage": 0<BR /> },<BR /> "group4": {<BR /> "name": "failed",<BR /> "count": 0,<BR /> "percentage": 0<BR /> },<BR /> "meanNumberOfRequestsPerSecond": {<BR /> "total": 0.0035587188612099642,<BR /> "ok": 0.0035587188612099642,<BR /> "ko": 0<BR /> }<BR /> }<BR /> }<BR /> }<BR /> }</P> Sun, 07 Oct 2018 14:45:02 GMT https://community.splunk.com/t5/Getting-Data-In/index-unstructured-JSON-file/m-p/419016#M73876 sivaranjiniG 2018-10-07T14:45:02Z https://community.splunk.com/t5/Getting-Data-In/index-unstructured-JSON-file/m-p/419017#M73877 <P>If you want to break events before stats then try in props.conf-</P> <PRE><CODE>[sourcetypename] BREAK_ONLY_BEFORE = stats </CODE></PRE> Sun, 07 Oct 2018 15:08:30 GMT https://community.splunk.com/t5/Getting-Data-In/index-unstructured-JSON-file/m-p/419017#M73877 493669 2018-10-07T15:08:30Z https://community.splunk.com/t5/Getting-Data-In/index-unstructured-JSON-file/m-p/419018#M73878 <P>Hi sivaranjiniG,</P> <P>You can try this one </P> <P><STRONG>inputs.conf</STRONG><BR /> [monitor:///var/log/json.log]<BR /> sourcetype = myjson</P> <P><STRONG>props.conf</STRONG><BR /> [myjson]<BR /> REPORT-json = report-json,report-json-kv</P> <P><STRONG>Transforms.conf</STRONG><BR /> [report-json]<BR /><BR /> # This will get the json payload from the logs. <BR /> # Put your specific logic if you need. Below is a very basic logic baed on { bracket<BR /> REGEX = (?P{.+)<BR /> # Manually extract JSON key-value<BR /> [report-json-kv]<BR /><BR /> REGEX = \"(\w+)\":[\s]*\"([^\,}\"]+)<BR /> FORMAT = $1::$2<BR /> MV_ADD = true</P> <P>Original Source : <A href="https://answers.splunk.com/answers/117121/extract-json-data-within-the-logs-json-mixed-with.html">https://answers.splunk.com/answers/117121/extract-json-data-within-the-logs-json-mixed-with.html</A></P> Mon, 08 Oct 2018 02:53:12 GMT https://community.splunk.com/t5/Getting-Data-In/index-unstructured-JSON-file/m-p/419018#M73878 iamarkaprabha 2018-10-08T02:53:12Z