https://community.splunk.com/t5/Splunk-Search/How-to-split-JSON-array-into-Multiple-events-at-Index-Time/m-p/390399#M113707 <P>Solved with the following config:</P> <PRE><CODE>[sourcetype] KV_MODE = json LINE_BREAKER = \}(,\s+)\{ SEDCMD-remove_footer = s/\}\s+\]//g SEDCMD-remove_header = s/\{\s+\"local\"\:\s+\[//g SHOULD_LINEMERGE = 0 pulldown_type = 1 </CODE></PRE> Thu, 04 Apr 2019 18:35:05 GMT mayurr98 2019-04-04T18:35:05Z https://community.splunk.com/t5/Splunk-Search/How-to-split-JSON-array-into-Multiple-events-at-Index-Time/m-p/390397#M113705 <P><STRONG>I have an event :</STRONG></P> <PRE><CODE>{ "local": [ { "display_name": "juniper0", "tenant": null, "created": "2019-03-29", "local_context_data": { "ntp": { "peers": [ "192.168.10.15", "192.168.10.16" ] } }, "serial": "124334", "asset_tag": null, "site": { "id": 1, "name": "TestSite", "slug": "testsite" }, "virtual_chassis": null, "primary_ip4": { "id": 7, "address": "192.37.28.78/24", "family": 4 }, "cluster": null, "tags": [], "last_updated": "2019-04-01T09:41:41.633296Z", "vc_position": null, "primary_ip": { "id": 7, "address": "192.37.28.78/24", "family": 4 }, "device_type": { "id": 1, "display_name": "Juniper test", "manufacturer": { "id": 5, "name": "Juniper", "slug": "juniper" }, "slug": "test", "model": "test" }, "primary_ip6": null, "parent_device": null, "face": null, "device_role": { "id": 3, "name": "Switch", "slug": "switch" }, "comments": "", "platform": null, "name": "juniper0", "id": 8, "status": { "value": 1, "label": "Active" }, "position": null, "custom_fields": {}, "rack": null, "vc_priority": null }, { "display_name": "juniper1", "tenant": null, "created": "2019-04-02", "local_context_data": null, "serial": "", "asset_tag": null, "site": { "id": 1, "name": "TestSite", "slug": "testsite" }, "virtual_chassis": null, "primary_ip4": null, "cluster": null, "tags": [], "last_updated": "2019-04-02T18:08:16.222025Z", "vc_position": null, "primary_ip": null, "device_type": { "id": 1, "display_name": "Juniper test", "manufacturer": { "id": 5, "name": "Juniper", "slug": "juniper" }, "slug": "test", "model": "test" }, "primary_ip6": null, "parent_device": null, "face": null, "device_role": { "id": 6, "name": "Firewall", "slug": "firewall" }, "comments": "", "platform": null, "name": "juniper1", "id": 9, "status": { "value": 1, "label": "Active" }, "position": null, "custom_fields": {}, "rack": null, "vc_priority": null } ] } </CODE></PRE> <P>I want this event to be split into 2 events such as : </P> <P><STRONG>1st Event</STRONG></P> <PRE><CODE>{ "display_name": "juniper0", "tenant": null, "created": "2019-03-29", "local_context_data": { "ntp": { "peers": [ "192.168.10.15", "192.168.10.16" ] } }, "serial": "124334", "asset_tag": null, "site": { "id": 1, "name": "TestSite", "slug": "testsite" }, "virtual_chassis": null, "primary_ip4": { "id": 7, "address": "192.37.28.78/24", "family": 4 }, "cluster": null, "tags": [], "last_updated": "2019-04-01T09:41:41.633296Z", "vc_position": null, "primary_ip": { "id": 7, "address": "192.37.28.78/24", "family": 4 }, "device_type": { "id": 1, "display_name": "Juniper test", "manufacturer": { "id": 5, "name": "Juniper", "slug": "juniper" }, "slug": "test", "model": "test" }, "primary_ip6": null, "parent_device": null, "face": null, "device_role": { "id": 3, "name": "Switch", "slug": "switch" }, "comments": "", "platform": null, "name": "juniper0", "id": 8, "status": { "value": 1, "label": "Active" }, "position": null, "custom_fields": {}, "rack": null, "vc_priority": null } </CODE></PRE> <P><STRONG>2nd Event</STRONG></P> <PRE><CODE>{ "display_name": "juniper1", "tenant": null, "created": "2019-04-02", "local_context_data": null, "serial": "", "asset_tag": null, "site": { "id": 1, "name": "TestSite", "slug": "testsite" }, "virtual_chassis": null, "primary_ip4": null, "cluster": null, "tags": [], "last_updated": "2019-04-02T18:08:16.222025Z", "vc_position": null, "primary_ip": null, "device_type": { "id": 1, "display_name": "Juniper test", "manufacturer": { "id": 5, "name": "Juniper", "slug": "juniper" }, "slug": "test", "model": "test" }, "primary_ip6": null, "parent_device": null, "face": null, "device_role": { "id": 6, "name": "Firewall", "slug": "firewall" }, "comments": "", "platform": null, "name": "juniper1", "id": 9, "status": { "value": 1, "label": "Active" }, "position": null, "custom_fields": {}, "rack": null, "vc_priority": null } </CODE></PRE> Wed, 03 Apr 2019 22:48:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-JSON-array-into-Multiple-events-at-Index-Time/m-p/390397#M113705 mayurr98 2019-04-03T22:48:14Z https://community.splunk.com/t5/Splunk-Search/How-to-split-JSON-array-into-Multiple-events-at-Index-Time/m-p/390398#M113706 <P>@mayurr98 </P> <P>Can you please try below configurations in your props.conf?</P> <PRE><CODE>[my_stanza] DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=true NO_BINARY_CHECK=true LINE_BREAKER=}(\,){ SEDCMD-break=s/({"local": \[)//g SEDCMD-b=s/]}$//g </CODE></PRE> Thu, 04 Apr 2019 06:14:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-JSON-array-into-Multiple-events-at-Index-Time/m-p/390398#M113706 kamlesh_vaghela 2019-04-04T06:14:09Z https://community.splunk.com/t5/Splunk-Search/How-to-split-JSON-array-into-Multiple-events-at-Index-Time/m-p/390399#M113707 <P>Solved with the following config:</P> <PRE><CODE>[sourcetype] KV_MODE = json LINE_BREAKER = \}(,\s+)\{ SEDCMD-remove_footer = s/\}\s+\]//g SEDCMD-remove_header = s/\{\s+\"local\"\:\s+\[//g SHOULD_LINEMERGE = 0 pulldown_type = 1 </CODE></PRE> Thu, 04 Apr 2019 18:35:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-JSON-array-into-Multiple-events-at-Index-Time/m-p/390399#M113707 mayurr98 2019-04-04T18:35:05Z https://community.splunk.com/t5/Splunk-Search/How-to-split-JSON-array-into-Multiple-events-at-Index-Time/m-p/390400#M113708 <P>Thanks for the reply <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 04 Apr 2019 18:36:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-JSON-array-into-Multiple-events-at-Index-Time/m-p/390400#M113708 mayurr98 2019-04-04T18:36:11Z