https://community.splunk.com/t5/Getting-Data-In/Multiple-json-events-coming-as-one/m-p/476766#M81855 <P>I have multiple events which are coming as one <BR /> and I need to separate them into separate events in order to create a table and etc<BR /> Is there a way to do it in the search time? <BR /> <STRONG>{<BR /> "Timestamp": "2020-02-08T15:45:00.036Z",<BR /> "Query Parameters": "",<BR /> "RequestMethod": "POST",<BR /> "Request": "{tt}",<BR /> "Response": "{tt}",<BR /> "HTTPStatusCode": "200",<BR /> "TotalResponseTimeApprox.(ms)": "290.0",<BR /> "TargetResponseTime(ms)": "241.0"<BR /> }{<BR /> "Timestamp": "2020-02-08T15:45:00.334Z",<BR /> "Query Parameters": "",<BR /> "RequestMethod": "POST",<BR /> "Request": "{tt}",<BR /> "Response": "{tt}",<BR /> "HTTPStatusCode": "200",<BR /> "TotalResponseTimeApprox.(ms)": "290.0",<BR /> "TargetResponseTime(ms)": "241.0"<BR /> }</STRONG></P> <P>Thank you</P> Thu, 16 Apr 2020 12:36:42 GMT khalid7assan 2020-04-16T12:36:42Z https://community.splunk.com/t5/Getting-Data-In/Multiple-json-events-coming-as-one/m-p/476766#M81855 <P>I have multiple events which are coming as one <BR /> and I need to separate them into separate events in order to create a table and etc<BR /> Is there a way to do it in the search time? <BR /> <STRONG>{<BR /> "Timestamp": "2020-02-08T15:45:00.036Z",<BR /> "Query Parameters": "",<BR /> "RequestMethod": "POST",<BR /> "Request": "{tt}",<BR /> "Response": "{tt}",<BR /> "HTTPStatusCode": "200",<BR /> "TotalResponseTimeApprox.(ms)": "290.0",<BR /> "TargetResponseTime(ms)": "241.0"<BR /> }{<BR /> "Timestamp": "2020-02-08T15:45:00.334Z",<BR /> "Query Parameters": "",<BR /> "RequestMethod": "POST",<BR /> "Request": "{tt}",<BR /> "Response": "{tt}",<BR /> "HTTPStatusCode": "200",<BR /> "TotalResponseTimeApprox.(ms)": "290.0",<BR /> "TargetResponseTime(ms)": "241.0"<BR /> }</STRONG></P> <P>Thank you</P> Thu, 16 Apr 2020 12:36:42 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-json-events-coming-as-one/m-p/476766#M81855 khalid7assan 2020-04-16T12:36:42Z https://community.splunk.com/t5/Getting-Data-In/Multiple-json-events-coming-as-one/m-p/476767#M81856 <P>Hi @khalid7assan,</P> <P>Your event can be parsed with the following SPL:</P> <PRE><CODE>| rex field=_raw max_match=0 "(?ms)(?&lt;split_raw&gt;\{.+?\})(?=\{|\s*$)" | mvexpand split_raw </CODE></PRE> <P>You can replicate the behaviour by copying and pasting the following code in Splunk:</P> <PRE><CODE>| makeresults | eval _raw = " { \"Timestamp\": \"2020-02-08T15:45:00.036Z\", \"Query Parameters\": \"\", \"RequestMethod\": \"POST\", \"Request\": \"{tt}\", \"Response\": \"{tt}\", \"HTTPStatusCode\": \"200\", \"TotalResponseTimeApprox.(ms)\": \"290.0\", \"TargetResponseTime(ms)\": \"241.0\" }{ \"Timestamp\": \"2020-02-08T15:45:00.334Z\", \"Query Parameters\": \"\", \"RequestMethod\": \"POST\", \"Request\": \"{tt}\", \"Response\": \"{tt}\", \"HTTPStatusCode\": \"200\", \"TotalResponseTimeApprox.(ms)\": \"290.0\", \"TargetResponseTime(ms)\": \"241.0\" } " | rex field=_raw max_match=0 "(?ms)(?&lt;split_raw&gt;\{.+?\})(?=\{|\s*$)" | mvexpand split_raw | fields - _raw, _time </CODE></PRE> <P>Output:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8703iFBDA907738DBC55A/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>If you find any issues or your events are more complex than the one you included in your question, please post some more examples so that we can take a look.</P> <P>Regards,<BR /> J</P> Thu, 16 Apr 2020 14:24:19 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-json-events-coming-as-one/m-p/476767#M81856 javiergn 2020-04-16T14:24:19Z https://community.splunk.com/t5/Getting-Data-In/Multiple-json-events-coming-as-one/m-p/476768#M81857 <P>props.conf</P> <PRE><CODE>[your_sourcetype] SHOULD_LINEMERGE = false LINE_BREAKER =(^){ </CODE></PRE> <P>make appropriate props.conf </P> Thu, 16 Apr 2020 21:14:03 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-json-events-coming-as-one/m-p/476768#M81857 to4kawa 2020-04-16T21:14:03Z https://community.splunk.com/t5/Getting-Data-In/Multiple-json-events-coming-as-one/m-p/476769#M81858 <P>Hi @khalid7assan, </P> <P>Did any of the answers below help with your problem? If so please don't forget to accept one so that other users can benefit from this answer in the future.</P> <P>Thanks,<BR /> J</P> Sun, 19 Apr 2020 16:49:57 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-json-events-coming-as-one/m-p/476769#M81858 javiergn 2020-04-19T16:49:57Z https://community.splunk.com/t5/Getting-Data-In/Multiple-json-events-coming-as-one/m-p/476770#M81859 <P>Thank you it worked </P> Mon, 20 Apr 2020 07:31:44 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-json-events-coming-as-one/m-p/476770#M81859 khalid7assan 2020-04-20T07:31:44Z