topic Re: Importing validated JSON (RFC 4627) does not split events in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Importing-validated-JSON-RFC-4627-does-not-split-events/m-p/405082#M95338 <P>You're ingesting one JSON object, so Splunk reads one JSON object.</P> <P>You could<BR /> - generate the data as separate objects<BR /> - turn off indexed extractions and use regex to chop the big object into small objects<BR /> - use an external preprocessor</P> Thu, 11 Apr 2019 10:28:12 GMT martin_mueller 2019-04-11T10:28:12Z Importing validated JSON (RFC 4627) does not split events https://community.splunk.com/t5/Getting-Data-In/Importing-validated-JSON-RFC-4627-does-not-split-events/m-p/405081#M95337 <P>Hi,<BR /> we have a service which is showing details for he latest last 10 executed jobs in a JSON (RFC 4627) format.<BR /> I already validated that format with several JSON validators on the web.</P> <P><STRONG>Splunk is not splitting the events/jobs. <BR /> Do you have a solution for that challenge?</STRONG></P> <P>The JSON data is in the following.<BR /> The timestamp is in the field changed_at.</P> <HR /> <P>{<BR /> "monitored_jobs":[<BR /> {<BR /> "monitored_element_id":52,<BR /> "work_order_part_id":10,<BR /> "quantity":500,<BR /> "priority":4,<BR /> "status":{<BR /> "value":"HALTED",<BR /> "changed_at":"2019-04-10T15:46:55.734Z"<BR /> }<BR /> },<BR /> {<BR /> "monitored_element_id":9,<BR /> "work_order_part_id":9,<BR /> "quantity":500,<BR /> "priority":4,<BR /> "status":{<BR /> "value":"HALTED",<BR /> "changed_at":"2019-04-10T14:15:15.837Z"<BR /> }<BR /> },<BR /> {<BR /> "monitored_element_id":8,<BR /> "work_order_part_id":8,<BR /> "quantity":100,<BR /> "priority":4,<BR /> "status":{<BR /> "value":"COMPLETED",<BR /> "changed_at":"2019-04-10T13:47:53.763Z"<BR /> }<BR /> },<BR /> {<BR /> "monitored_element_id":7,<BR /> "work_order_part_id":7,<BR /> "quantity":50,<BR /> "priority":4,<BR /> "status":{<BR /> "value":"COMPLETED",<BR /> "changed_at":"2019-04-10T13:38:15.803Z"<BR /> }<BR /> },<BR /> {<BR /> "monitored_element_id":6,<BR /> "work_order_part_id":6,<BR /> "quantity":5,<BR /> "priority":4,<BR /> "status":{<BR /> "value":"COMPLETED",<BR /> "changed_at":"2019-04-10T13:34:26.396Z"<BR /> }<BR /> },<BR /> {<BR /> "monitored_element_id":5,<BR /> "work_order_part_id":5,<BR /> "quantity":1,<BR /> "priority":4,<BR /> "status":{<BR /> "value":"COMPLETED",<BR /> "changed_at":"2019-04-10T11:05:36.366Z"<BR /> }<BR /> },<BR /> {<BR /> "monitored_element_id":4,<BR /> "work_order_part_id":4,<BR /> "quantity":1,<BR /> "priority":4,<BR /> "status":{<BR /> "value":"HALTED",<BR /> "changed_at":"2019-04-10T10:53:29.173Z"<BR /> }<BR /> },<BR /> {<BR /> "monitored_element_id":3,<BR /> "work_order_part_id":3,<BR /> "quantity":1,<BR /> "priority":4,<BR /> "status":{<BR /> "value":"COMPLETED",<BR /> "changed_at":"2019-04-10T10:46:06.857Z"<BR /> }<BR /> },<BR /> {<BR /> "monitored_element_id":2,<BR /> "work_order_part_id":2,<BR /> "quantity":1,<BR /> "priority":4,<BR /> "status":{<BR /> "value":"HALTED",<BR /> "changed_at":"2019-04-10T10:24:22.473Z"<BR /> }<BR /> },<BR /> {<BR /> "monitored_element_id":1,<BR /> "work_order_part_id":1,<BR /> "quantity":1,<BR /> "priority":4,<BR /> "status":{<BR /> "value":"HALTED",<BR /> "changed_at":"2019-04-10T09:42:46.452Z"<BR /> }<BR /> }<BR /> ],<BR /> "page":{<BR /> "size":10,<BR /> "total_elements":10,<BR /> "total_pages":1,<BR /> "number":1<BR /> }</P> <H2>}</H2> <P>When I try to import that as a file SPLUNK shows me the following:</P> <P><IMG src="https://community.splunk.com/storage/temp/271034-11-04-2019-09-07-10.png" alt="alt text" /></P> Wed, 30 Sep 2020 00:04:37 GMT https://community.splunk.com/t5/Getting-Data-In/Importing-validated-JSON-RFC-4627-does-not-split-events/m-p/405081#M95337 timodellai 2020-09-30T00:04:37Z Re: Importing validated JSON (RFC 4627) does not split events https://community.splunk.com/t5/Getting-Data-In/Importing-validated-JSON-RFC-4627-does-not-split-events/m-p/405082#M95338 <P>You're ingesting one JSON object, so Splunk reads one JSON object.</P> <P>You could<BR /> - generate the data as separate objects<BR /> - turn off indexed extractions and use regex to chop the big object into small objects<BR /> - use an external preprocessor</P> Thu, 11 Apr 2019 10:28:12 GMT https://community.splunk.com/t5/Getting-Data-In/Importing-validated-JSON-RFC-4627-does-not-split-events/m-p/405082#M95338 martin_mueller 2019-04-11T10:28:12Z