https://community.splunk.com/t5/Getting-Data-In/JSON-input-not-splitting-up-in-single-line/m-p/465847#M80286 <P>Its intermittent issue. The data is different in each payload. Can it be done while indexing rather than searching. Please guide.</P> Sat, 14 Dec 2019 03:06:35 GMT rishma 2019-12-14T03:06:35Z https://community.splunk.com/t5/Getting-Data-In/JSON-input-not-splitting-up-in-single-line/m-p/465845#M80284 <P>I am using API to fetch the JSON logs and sending JSON output to Splunk. Props.conf is on the search head. </P> <P>I am seeing the intermittent issues of not splitting the JSON logs even though I am sending one by one JSON objects via scripting. </P> <P>Json payload :</P> <P>{"test": "emailid", "remote": "13.17.14.2", "guide": "05773-56-C2-E9", "test1": "testing", "date": "2019-12-13T19:05:03.836+00:00", "sessionID": "abc1"}<BR /> {"remote": "13.7.4.28", "guide": "05773-56-C2-E9", "test1": "testing", "date": "2019-12-13T19:05:03.836+00:00", "sessionID": "abc1"}</P> <P>Props.conf is :</P> <PRE><CODE>INDEXED_EXTRACTIONS = JSON BREAK_ONLY_BEFORE_DATE=false BREAK_ONLY_BEFORE=(\{\"|\"\}) MUST_BREAK_AFTER=\"\} </CODE></PRE> <P>Please guide. </P> <P>I tried including <CODE>SHOULD_LINEMERGE = false</CODE></P> <P>But it didnt work. </P> Fri, 13 Dec 2019 18:09:45 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-input-not-splitting-up-in-single-line/m-p/465845#M80284 rishma 2019-12-13T18:09:45Z https://community.splunk.com/t5/Getting-Data-In/JSON-input-not-splitting-up-in-single-line/m-p/465846#M80285 <PRE><CODE>| makeresults | eval _raw= "{\"test\": \"emailid\" , \"remote\": \"13.17.14.2\", \"guide\": \"05773-56-C2-E9\", \"test1\": \"testing\", \"date\": \"2019-12-13T19:05:03.836+00:00\", \"sessionID\": \"abc1\"}" | appendpipe [| eval _raw="{\"remote\": \"13.7.4.28\", \"guide\": \"05773-56-C2-E9\", \"test1\": \"testing\", \"date\": \"2019-12-13T19:05:03.836+00:00\", \"sessionID\": \"abc1\"}" ] | eval _time=strptime(spath(_raw,"date"),"%Y-%m-%dT%H:%M:%S.%Q%:z") | spath </CODE></PRE> <P>If it is a search, it can be extracted correctly.</P> <P><A href="https://answers.splunk.com/answers/556279/why-would-indexed-extractionsjson-in-propsconf-be.html">why-would-indexed-extractionsjson-in-propsconf</A></P> <P>How about using this as a reference?</P> Fri, 13 Dec 2019 23:25:15 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-input-not-splitting-up-in-single-line/m-p/465846#M80285 to4kawa 2019-12-13T23:25:15Z https://community.splunk.com/t5/Getting-Data-In/JSON-input-not-splitting-up-in-single-line/m-p/465847#M80286 <P>Its intermittent issue. The data is different in each payload. Can it be done while indexing rather than searching. Please guide.</P> Sat, 14 Dec 2019 03:06:35 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-input-not-splitting-up-in-single-line/m-p/465847#M80286 rishma 2019-12-14T03:06:35Z https://community.splunk.com/t5/Getting-Data-In/JSON-input-not-splitting-up-in-single-line/m-p/465848#M80287 <P>Sorry, I don’t know how.</P> Sat, 14 Dec 2019 04:06:01 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-input-not-splitting-up-in-single-line/m-p/465848#M80287 to4kawa 2019-12-14T04:06:01Z https://community.splunk.com/t5/Getting-Data-In/JSON-input-not-splitting-up-in-single-line/m-p/465849#M80288 <P>Never use the <CODE>BREAK_*</CODE> settings; always do it like this (these are the only breaking settings required):</P> <PRE><CODE>SHOULD_LINEMERGE = false LINE_BREAKER = \"\}(\s*[\r\n]+\s*)(?:\{\")|(?:\"\}) </CODE></PRE> Sat, 14 Dec 2019 18:18:49 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-input-not-splitting-up-in-single-line/m-p/465849#M80288 woodcock 2019-12-14T18:18:49Z