https://community.splunk.com/t5/Getting-Data-In/JSON-file-will-not-break-correctly-OR-create-field-extractions/m-p/551669#M91558 <P>This works! Thank you!</P> Fri, 14 May 2021 20:33:05 GMT jason_hotchkiss 2021-05-14T20:33:05Z https://community.splunk.com/t5/Getting-Data-In/JSON-file-will-not-break-correctly-OR-create-field-extractions/m-p/551512#M91533 <P>inputsHello -&nbsp;</P><P>I have the following log that will not line break using the traditional ([\r\n)+).&nbsp; Each event splits between:&nbsp;&nbsp;"Properties": {<BR /><BR />Here is what I have tried in my Props.conf:<BR /><BR />[ mysourcetype ]<BR />BREAK_ONLY_BEFORE=\"Properties\"\: \{<BR />LINE_BREAKER=^{<BR />CHARSET=UTF-8<BR />DATETIME_CONFIG=CURRENT<BR />MAX_EVENTS=40000<BR />SHOULD_LINEMERGE=true<BR />disabled=false<BR />pulldown_type=true<BR /><BR /><BR /></P><P>{ "computers": [ { "Properties": { "haslaps": false, "highvalue": false, "name": "DATA", "domain": "DATA", "objectid": "DATA", "distinguishedname": "DATA", "description": null, "enabled": true, "unconstraineddelegation": false, "serviceprincipalnames": [ "DATA", "DATA", "DATA", "DATA", "DATA", "DATA", "DATA", "DATA" ], "lastlogontimestamp": 1501470433, "pwdlastset": 1500622271, "operatingsystem": "DATA" }, "AllowedToDelegate": [], "AllowedToAct": [], "PrimaryGroupSid": "DATA", "Sessions": [], "LocalAdmins": [], "RemoteDesktopUsers": [], "DcomUsers": [], "PSRemoteUsers": [], "ObjectIdentifier": "DATA", "Aces": [ { "PrincipalSID": "DATA", "PrincipalType": "DATA", "RightName": "DATA", "AceType": "", "IsInherited": DATA }, { "PrincipalSID": "DATA", "PrincipalType": "DATA", "RightName": "DATA", "AceType": "", "IsInherited": false }, { "PrincipalSID": "DATA", "PrincipalType": "DATA", "RightName": "DATA", "AceType": "", "IsInherited": false }, { "PrincipalSID": "DATA", "PrincipalType": "DATA", "RightName": "DATA", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "DATA", "RightName": "DATA", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "DATA", "RightName": "DATA", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "DATA", "RightName": "DATA", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Unknown", "RightName": "DATA", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "GenericAll", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Unknown", "RightName": "GenericAll", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "WriteDacl", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "WriteOwner", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "GenericWrite", "AceType": "", "IsInherited": true } ] }, { "Properties": { "haslaps": false, "highvalue": false, "name": "DATA", "domain": "DATA", "objectid": "DATA", "distinguishedname": "DATA", "description": null, "enabled": true, "unconstraineddelegation": false, "serviceprincipalnames": [ "DATA", "DATA", "DATA", "DATA", "DATA", "DATA", "DATA", "DATA", "DATA", "DATA" ], "lastlogontimestamp": 1506599859, "pwdlastset": 1505682659, "operatingsystem": "DATA" }, "AllowedToDelegate": [], "AllowedToAct": [], "PrimaryGroupSid": "DATA", "Sessions": [], "LocalAdmins": [], "RemoteDesktopUsers": [], "DcomUsers": [], "PSRemoteUsers": [], "ObjectIdentifier": "DATA", "Aces": [ { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "Owner", "AceType": "", "IsInherited": false }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "GenericAll", "AceType": "", "IsInherited": false }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "GenericAll", "AceType": "", "IsInherited": false }, { "PrincipalSID": "DATA", "PrincipalType": "User", "RightName": "GenericAll", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "GenericAll", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Unknown", "RightName": "GenericAll", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "WriteDacl", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "WriteOwner", "AceType": "", "IsInherited": true }, { "PrincipalSID": "DATA", "PrincipalType": "Group", "RightName": "GenericWrite", "AceType": "", "IsInherited": true } ] &lt;...truncated...&gt;</P><P>Any suggestions on how I can get this to break properly &amp; extract the field value pairs?&nbsp; Thank you!</P> Thu, 13 May 2021 23:29:35 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-file-will-not-break-correctly-OR-create-field-extractions/m-p/551512#M91533 jason_hotchkiss 2021-05-13T23:29:35Z https://community.splunk.com/t5/Getting-Data-In/JSON-file-will-not-break-correctly-OR-create-field-extractions/m-p/551530#M91537 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226579">@jason_hotchkiss</a>&nbsp;</P><P>Can you please try this?</P><LI-CODE lang="markup">[YOUR_SOURCETYPE] SHOULD_LINEMERGE=false LINE_BREAKER=]}(\,\s){\"Properties NO_BINARY_CHECK=true SEDCMD-a=s/{\"computers\": \[//g SEDCMD-b=s/\]}\]}$/]}/g TRUNCATE=0</LI-CODE><P>&nbsp;</P><P>Thanks<BR />Kamlesh Vaghela</P> Fri, 14 May 2021 05:30:20 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-file-will-not-break-correctly-OR-create-field-extractions/m-p/551530#M91537 kamlesh_vaghela 2021-05-14T05:30:20Z https://community.splunk.com/t5/Getting-Data-In/JSON-file-will-not-break-correctly-OR-create-field-extractions/m-p/551612#M91547 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127939">@kamlesh_vaghela</a>&nbsp;<BR /><BR />Hello Kamlesh - that did not work, and I believe that was my fault, as the log format came in wrong.<BR /><BR />Here is the regex:&nbsp; <A href="https://regex101.com/r/KkpSIM/1" target="_blank">https://regex101.com/r/KkpSIM/1</A></P> Fri, 14 May 2021 14:30:25 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-file-will-not-break-correctly-OR-create-field-extractions/m-p/551612#M91547 jason_hotchkiss 2021-05-14T14:30:25Z https://community.splunk.com/t5/Getting-Data-In/JSON-file-will-not-break-correctly-OR-create-field-extractions/m-p/551637#M91556 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226579">@jason_hotchkiss</a>&nbsp;</P><P>&nbsp;</P><P>Ca you please try this?</P><LI-CODE lang="markup">[ &lt;SOURCETYPE NAME&gt; ] SHOULD_LINEMERGE=false LINE_BREAKER=\]\n\s{4}}(,\s{5}){\n\s{6}"Properties": NO_BINARY_CHECK=true CHARSET=UTF-8 disabled=false SEDCMD-a=s/{\n\s{2}"computers":\s\[\n\s{4}//g SEDCMD-b=s/\n\s*//g SEDCMD-c=s/\]}\]}$/]}/g</LI-CODE><P>&nbsp;</P><P>Your provided json was not valid. So I have added closing brackets at the end.&nbsp;</P><P>Check the sample I have used.</P><P><A href="https://regex101.com/r/NFxrJp/1" target="_blank">https://regex101.com/r/NFxrJp/1</A></P><P>&nbsp;</P><P>Thanks<BR />KV ▄︻̷̿┻̿═━一<BR /><BR />If this reply helps you, an upvote would be appreciated.</P> Fri, 14 May 2021 17:36:05 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-file-will-not-break-correctly-OR-create-field-extractions/m-p/551637#M91556 kamlesh_vaghela 2021-05-14T17:36:05Z https://community.splunk.com/t5/Getting-Data-In/JSON-file-will-not-break-correctly-OR-create-field-extractions/m-p/551669#M91558 <P>This works! Thank you!</P> Fri, 14 May 2021 20:33:05 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-file-will-not-break-correctly-OR-create-field-extractions/m-p/551669#M91558 jason_hotchkiss 2021-05-14T20:33:05Z