https://community.splunk.com/t5/Getting-Data-In/JSON-payloads-not-getting-indexed-into-Splunk/m-p/515797#M87341 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a>&nbsp;</P><P>&nbsp;Do you reckon it resolves my issue ? By moving SEDCMDs after INDEXED_EXTRACTIONS=json</P><P>&nbsp;I am not sure if my conf is wrong as I picked it from other Splunk answers blog. It works for me except the issue I raised in this ticket.</P> Mon, 24 Aug 2020 13:54:45 GMT nareshinsvu 2020-08-24T13:54:45Z https://community.splunk.com/t5/Getting-Data-In/JSON-payloads-not-getting-indexed-into-Splunk/m-p/515701#M87318 <P>Hi,</P><P>Below is my props.conf on my Heavy Forwarder. I have recently found that there are few JSON messages completely missed getting indexed into Splunk. It's a high transaction system.</P><P>When I actually check my source json logs, eg: out of 10 json payloads, 1-2 doesn't get indexed. But all the 10 json payloads are having similar content and same number of lines</P><P>[dp_json]<BR />SEDCMD-strip_prefix = s/^[^{]+//g<BR />SEDCMD-dumpxml = s/(\&lt;|\&gt;\\r\\n).*//g<BR />SEDCMD-remove = s/\"(shippingAddress)\"\s+\:\s+{[\s\S]*?(?=\n.*?{)//g<BR />INDEXED_EXTRACTIONS=JSON<BR />NO_BINARY_CHECK = true<BR />category = Custom<BR />description = dp_json_custom<BR />disabled = false<BR />pulldown_type = true<BR />DATETIME_CONFIG = CURRENT<BR />TRUNCATE = 100000<BR />MAX_EVENTS = 10000</P><P>&nbsp;</P><P>I couldn't troubleshoot the splunkd.log on forwarder because I continuously get below messages in it. I can't ask the source application system to change the json payload message to rectify this error. So, I am living with this error.</P><P>&nbsp;</P><P>08-24-2020 13:19:52.474 +1000 ERROR JsonLineBreaker - JSON StreamId:10360380474397151566 had parsing error:Unexpected character while looking for value: 'a' - data_source="D:\Logs\myjson.log", data_host="myjsonhost", data_sourcetype="dp_json"</P><P>&nbsp;</P><P>Is there a way to get notifications if any events are missed indexing?</P><P>Hope someone would ve faced same issue. Need urgent resolution as we don't want to miss any data in Splunk.</P><P>&nbsp;</P><P>Thanks,</P><P>Naresh</P> Mon, 24 Aug 2020 06:57:15 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-payloads-not-getting-indexed-into-Splunk/m-p/515701#M87318 nareshinsvu 2020-08-24T06:57:15Z https://community.splunk.com/t5/Getting-Data-In/JSON-payloads-not-getting-indexed-into-Splunk/m-p/515714#M87321 <P>INDEXED_EXTRACTIONS=json can work&nbsp;<STRONG>before</STRONG> SEDCMD.<BR />INDEXED_EXTRACTIONS works for <STRONG>valid</STRONG> JSON.<BR /><BR /></P><P>I'm surprised your setup is working properly.</P> Mon, 24 Aug 2020 08:30:26 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-payloads-not-getting-indexed-into-Splunk/m-p/515714#M87321 to4kawa 2020-08-24T08:30:26Z https://community.splunk.com/t5/Getting-Data-In/JSON-payloads-not-getting-indexed-into-Splunk/m-p/515797#M87341 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a>&nbsp;</P><P>&nbsp;Do you reckon it resolves my issue ? By moving SEDCMDs after INDEXED_EXTRACTIONS=json</P><P>&nbsp;I am not sure if my conf is wrong as I picked it from other Splunk answers blog. It works for me except the issue I raised in this ticket.</P> Mon, 24 Aug 2020 13:54:45 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-payloads-not-getting-indexed-into-Splunk/m-p/515797#M87341 nareshinsvu 2020-08-24T13:54:45Z