https://community.splunk.com/t5/Getting-Data-In/Why-are-the-JSON-event-lines-missing/m-p/440773#M76831 <P>the line format is :</P> <PRE><CODE>{"tim":"2018-07-12 15:23:16","pre":"ayisha.udam","fir":"Ayisha","las":"UDAM","pe1":false} </CODE></PRE> <P>Some lines present in the source file if I look at it with a text editor don't appear in a search or in a raw export.<BR /> in a json export :</P> <PRE><CODE>{"preview":false,"result":{"_raw":"{\"tim\":\"2018-07-12 15:23:46\",\"pre\":\"ayisha.adam\",\"fir\":\"Ayisha\",\"las\":\"UDAM\" ...} </CODE></PRE> <P>The sourcetype (I don't think it's the problem) is like that :</P> <PRE><CODE>INDEXED_EXTRACTIONS:json KV_MODE:json NO_BINARY_CHECK:true SHOULD_LINEMERGE:false category:Structured description:JavaScript Object Notation format. For more information, visit <A href="http://json.org/" target="test_blank">http://json.org/</A> disabled:false pulldown_type:true </CODE></PRE> <P>I've checked for differences in the source : line breaks, quote, I can't see any differences.</P> <P>What else can I check?</P> <P>thank's</P> Tue, 17 Jul 2018 10:52:20 GMT splunkLPN 2018-07-17T10:52:20Z https://community.splunk.com/t5/Getting-Data-In/Why-are-the-JSON-event-lines-missing/m-p/440773#M76831 <P>the line format is :</P> <PRE><CODE>{"tim":"2018-07-12 15:23:16","pre":"ayisha.udam","fir":"Ayisha","las":"UDAM","pe1":false} </CODE></PRE> <P>Some lines present in the source file if I look at it with a text editor don't appear in a search or in a raw export.<BR /> in a json export :</P> <PRE><CODE>{"preview":false,"result":{"_raw":"{\"tim\":\"2018-07-12 15:23:46\",\"pre\":\"ayisha.adam\",\"fir\":\"Ayisha\",\"las\":\"UDAM\" ...} </CODE></PRE> <P>The sourcetype (I don't think it's the problem) is like that :</P> <PRE><CODE>INDEXED_EXTRACTIONS:json KV_MODE:json NO_BINARY_CHECK:true SHOULD_LINEMERGE:false category:Structured description:JavaScript Object Notation format. For more information, visit <A href="http://json.org/" target="test_blank">http://json.org/</A> disabled:false pulldown_type:true </CODE></PRE> <P>I've checked for differences in the source : line breaks, quote, I can't see any differences.</P> <P>What else can I check?</P> <P>thank's</P> Tue, 17 Jul 2018 10:52:20 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-the-JSON-event-lines-missing/m-p/440773#M76831 splunkLPN 2018-07-17T10:52:20Z https://community.splunk.com/t5/Getting-Data-In/Why-are-the-JSON-event-lines-missing/m-p/440774#M76832 <P>I believe this should be updated in your sourcetype:<BR /> KV_MODE:none</P> <P>also if you can't guarantee single line events:<BR /> SHOULD_LINEMERGE:true</P> <P>Default Splunk Sourcetype for _json with <BR /> ./splunk cmd btool props list</P> <PRE><CODE>[_json] ADD_EXTRA_TIME_FIELDS = True ANNOTATE_PUNCT = True AUTO_KV_JSON = true BREAK_ONLY_BEFORE = BREAK_ONLY_BEFORE_DATE = True CHARSET = AUTO DATETIME_CONFIG = \etc\datetime.xml DEPTH_LIMIT = 1000 HEADER_MODE = INDEXED_EXTRACTIONS = json KV_MODE = none LEARN_MODEL = true LEARN_SOURCETYPE = true LINE_BREAKER_LOOKBEHIND = 100 MATCH_LIMIT = 100000 MAX_DAYS_AGO = 2000 MAX_DAYS_HENCE = 2 MAX_DIFF_SECS_AGO = 3600 MAX_DIFF_SECS_HENCE = 604800 MAX_EVENTS = 256 MAX_TIMESTAMP_LOOKAHEAD = 128 MUST_BREAK_AFTER = MUST_NOT_BREAK_AFTER = MUST_NOT_BREAK_BEFORE = SEGMENTATION = indexing SEGMENTATION-all = full SEGMENTATION-inner = inner SEGMENTATION-outer = outer SEGMENTATION-raw = none SEGMENTATION-standard = standard SHOULD_LINEMERGE = True TRANSFORMS = TRUNCATE = 10000 category = Structured description = JavaScript Object Notation format. For more information, visit <A href="http://json.org/" target="test_blank">http://json.org/</A> detect_trailing_nulls = auto maxDist = 100 priority = pulldown_type = true sourcetype = </CODE></PRE> Tue, 17 Jul 2018 20:23:14 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-the-JSON-event-lines-missing/m-p/440774#M76832 akocak 2018-07-17T20:23:14Z https://community.splunk.com/t5/Getting-Data-In/Why-are-the-JSON-event-lines-missing/m-p/440775#M76833 <P>Thank you for made me discover btool. I must now investigate. Config Quest app will help me. <BR /> Your suggestion solved my problems !</P> Wed, 18 Jul 2018 15:59:25 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-the-JSON-event-lines-missing/m-p/440775#M76833 splunkLPN 2018-07-18T15:59:25Z https://community.splunk.com/t5/Getting-Data-In/Why-are-the-JSON-event-lines-missing/m-p/440776#M76834 <P>Can you pick my solution as answer then <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span> ? No problem, I learned a lot here from other people</P> Wed, 18 Jul 2018 16:17:42 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-the-JSON-event-lines-missing/m-p/440776#M76834 akocak 2018-07-18T16:17:42Z https://community.splunk.com/t5/Getting-Data-In/Why-are-the-JSON-event-lines-missing/m-p/440777#M76835 <P>That was my intention ! I don't see how change the "accepted answer"</P> Thu, 19 Jul 2018 09:05:33 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-the-JSON-event-lines-missing/m-p/440777#M76835 splunkLPN 2018-07-19T09:05:33Z