topic JSON line breaking in Getting Data In https://community.splunk.com/t5/Getting-Data-In/JSON-line-breaking/m-p/460159#M99458 <P>I am trying to break one big json event into several events, eventually 1080, but in the example below there would be 5 events</P> <P>I know I need to create a props.conf</P> <P>This is what I have so far, but it is not working</P> <PRE><CODE>[me_json] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)agent_installed_dir TIME_PREFIX = process_end_time:\s+ TIME_FORMAT = %s%3N </CODE></PRE> <P>This is a sample of the event, with real data (systems/IPs) removed</P> <PRE><CODE>{ [-] message_response: { [-] limit: 5 page: 1 scancomputers: [ [-] { [-] agent_installed_dir: C:\Program Files (x86)\DesktopCentral_Agent\ agent_installed_on: 1535659874922 agent_last_contact_time: 1571069154000 agent_logged_on_users: blah agent_version: 10.0.362.W branch_office_name: my Computers build_number: 18362.418 computer_live_status: 1 computer_status_update_time: 1570734355370 description: -- domain_netbios_name: mydomain error_kb_url: -- installation_status: 22 ip_address: 10.100.1.1 last_successful_scan: 1570718183654 last_sync_time: 1571072071009 mac_address: xx:xx:xx:xx:xx:xx os_platform: 1 os_version: 10.0.18362 osflavor_id: 0 process_end_time: 1570718183654 process_start_time: 1569940581295 resource_id: 3373 resource_name: blah_blah1 scan_remarks: dc.common.SCANNING_COMPLETED scan_remarks_en: Scanning Completed scan_status: 2 service_pack: Windows 10 Version 1903 (x64) service_pack_major_version: 0 service_pack_minor_version: 0 software_name: Windows 10 Professional Edition (x64) status_label: dc.db.som.status.installed_successfully } { [-] agent_installed_dir: C:\Program Files (x86)\DesktopCentral_Agent\ agent_installed_on: 1535662084385 agent_last_contact_time: 1571070178000 agent_logged_on_users: -- agent_version: 10.0.362.W branch_office_name: my Computers build_number: 7601.24524 computer_live_status: 1 computer_status_update_time: 1570737696974 description: -- domain_netbios_name: mydomain error_kb_url: -- installation_status: 22 ip_address: 10.100.1.2 last_successful_scan: 1570716193151 last_sync_time: 1571072071009 mac_address: xx:xx:xx:xx:xx:xx os_platform: 1 os_version: 6.1.7601 osflavor_id: 0 process_end_time: 1570716193151 process_start_time: 1569573982199 resource_id: 3539 resource_name: blah_blah2 scan_remarks: dc.common.SCANNING_COMPLETED scan_remarks_en: Scanning Completed scan_status: 2 service_pack: Windows 7 SP1 (x64) service_pack_major_version: 1 service_pack_minor_version: 0 software_name: Windows 7 Professional Edition (x64) status_label: dc.db.som.status.installed_successfully } { [+] } { [+] } { [+] } ] total: 1080 } message_type: scancomputers message_version: 1.0 status: success } </CODE></PRE> Mon, 14 Oct 2019 17:46:50 GMT mcbradfordwcb 2019-10-14T17:46:50Z JSON line breaking https://community.splunk.com/t5/Getting-Data-In/JSON-line-breaking/m-p/460159#M99458 <P>I am trying to break one big json event into several events, eventually 1080, but in the example below there would be 5 events</P> <P>I know I need to create a props.conf</P> <P>This is what I have so far, but it is not working</P> <PRE><CODE>[me_json] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)agent_installed_dir TIME_PREFIX = process_end_time:\s+ TIME_FORMAT = %s%3N </CODE></PRE> <P>This is a sample of the event, with real data (systems/IPs) removed</P> <PRE><CODE>{ [-] message_response: { [-] limit: 5 page: 1 scancomputers: [ [-] { [-] agent_installed_dir: C:\Program Files (x86)\DesktopCentral_Agent\ agent_installed_on: 1535659874922 agent_last_contact_time: 1571069154000 agent_logged_on_users: blah agent_version: 10.0.362.W branch_office_name: my Computers build_number: 18362.418 computer_live_status: 1 computer_status_update_time: 1570734355370 description: -- domain_netbios_name: mydomain error_kb_url: -- installation_status: 22 ip_address: 10.100.1.1 last_successful_scan: 1570718183654 last_sync_time: 1571072071009 mac_address: xx:xx:xx:xx:xx:xx os_platform: 1 os_version: 10.0.18362 osflavor_id: 0 process_end_time: 1570718183654 process_start_time: 1569940581295 resource_id: 3373 resource_name: blah_blah1 scan_remarks: dc.common.SCANNING_COMPLETED scan_remarks_en: Scanning Completed scan_status: 2 service_pack: Windows 10 Version 1903 (x64) service_pack_major_version: 0 service_pack_minor_version: 0 software_name: Windows 10 Professional Edition (x64) status_label: dc.db.som.status.installed_successfully } { [-] agent_installed_dir: C:\Program Files (x86)\DesktopCentral_Agent\ agent_installed_on: 1535662084385 agent_last_contact_time: 1571070178000 agent_logged_on_users: -- agent_version: 10.0.362.W branch_office_name: my Computers build_number: 7601.24524 computer_live_status: 1 computer_status_update_time: 1570737696974 description: -- domain_netbios_name: mydomain error_kb_url: -- installation_status: 22 ip_address: 10.100.1.2 last_successful_scan: 1570716193151 last_sync_time: 1571072071009 mac_address: xx:xx:xx:xx:xx:xx os_platform: 1 os_version: 6.1.7601 osflavor_id: 0 process_end_time: 1570716193151 process_start_time: 1569573982199 resource_id: 3539 resource_name: blah_blah2 scan_remarks: dc.common.SCANNING_COMPLETED scan_remarks_en: Scanning Completed scan_status: 2 service_pack: Windows 7 SP1 (x64) service_pack_major_version: 1 service_pack_minor_version: 0 software_name: Windows 7 Professional Edition (x64) status_label: dc.db.som.status.installed_successfully } { [+] } { [+] } { [+] } ] total: 1080 } message_type: scancomputers message_version: 1.0 status: success } </CODE></PRE> Mon, 14 Oct 2019 17:46:50 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-line-breaking/m-p/460159#M99458 mcbradfordwcb 2019-10-14T17:46:50Z Re: JSON line breaking https://community.splunk.com/t5/Getting-Data-In/JSON-line-breaking/m-p/460160#M99459 <P>@mcbradfordwcb </P> <P>Please share <CODE>_raw</CODE> event in the code block. </P> Tue, 15 Oct 2019 05:57:15 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-line-breaking/m-p/460160#M99459 kamlesh_vaghela 2019-10-15T05:57:15Z