https://community.splunk.com/t5/Splunk-Search/Break-individual-events-from-json-array/m-p/479678#M134446 <P>Hello,</P> <P>I have been working on breaking events which come from the Splunk Rest api addon output. Default "_json" source_type is considering the entire api response as a single event. My aim is to get individual events for objects come under "results". I have tested some custom source types using props.conf but none of them seems working. Please help me with the props.conf entries.</P> <P>Required individual event example. NB : The fields in the event is dynamic</P> <P>{<BR /> "created" : "2020-02-27T06:14:34Z",<BR /> "eventTypeName" : "EVENT1",<BR /> "groupId" : "xxx",<BR /> "id" : "xxx",<BR /> "isGlobalAdmin" : false,<BR /> "links" : [ {<BR /> "href" : "<A href="https://example.com/api/v2" target="_blank">https://example.com/api/v2</A>",<BR /> "rel" : "self"<BR /> } ]<BR /> }</P> <P>I am pasting the entire API response below :</P> <PRE><CODE>Code below : { "links" : [ { "href" : "https://example.com/api/v2", "rel" : "self" } ], "results" : [ { "created" : "2020-02-27T06:14:34Z", "eventTypeName" : "EVENT1", "groupId" : "xxxxx", "id" : "xxxx", "isGlobalAdmin" : false, "links" : [ { "href" : "https://example.com/api/v2", "rel" : "self" } ] }, { "clusterName" : "splunk-cluster", "created" : "2020-02-27T06:14:33Z", "eventTypeName" : "EVENT2", "groupId" : "xxxxx", "id" : "xxxxx", "isGlobalAdmin" : false, "links" : [ { "href" : "https://example.com/api/v2", "rel" : "self" } ] }, { "created" : "2020-02-27T06:14:32Z", "eventTypeName" : "EVENT3", "groupId" : "xxxxxx", "id" : "xxxxxx", "isGlobalAdmin" : false, "links" : [ { "href" : "https://example.com/api/v2", "rel" : "self" } ], "remoteAddress" : "xx.xx.xx.xx", "userId" : "xxxxxx", "username" : "Sam-test" } ], "totalCount" : 3 } </CODE></PRE> Wed, 30 Sep 2020 04:21:42 GMT dvarghes 2020-09-30T04:21:42Z https://community.splunk.com/t5/Splunk-Search/Break-individual-events-from-json-array/m-p/479678#M134446 <P>Hello,</P> <P>I have been working on breaking events which come from the Splunk Rest api addon output. Default "_json" source_type is considering the entire api response as a single event. My aim is to get individual events for objects come under "results". I have tested some custom source types using props.conf but none of them seems working. Please help me with the props.conf entries.</P> <P>Required individual event example. NB : The fields in the event is dynamic</P> <P>{<BR /> "created" : "2020-02-27T06:14:34Z",<BR /> "eventTypeName" : "EVENT1",<BR /> "groupId" : "xxx",<BR /> "id" : "xxx",<BR /> "isGlobalAdmin" : false,<BR /> "links" : [ {<BR /> "href" : "<A href="https://example.com/api/v2" target="_blank">https://example.com/api/v2</A>",<BR /> "rel" : "self"<BR /> } ]<BR /> }</P> <P>I am pasting the entire API response below :</P> <PRE><CODE>Code below : { "links" : [ { "href" : "https://example.com/api/v2", "rel" : "self" } ], "results" : [ { "created" : "2020-02-27T06:14:34Z", "eventTypeName" : "EVENT1", "groupId" : "xxxxx", "id" : "xxxx", "isGlobalAdmin" : false, "links" : [ { "href" : "https://example.com/api/v2", "rel" : "self" } ] }, { "clusterName" : "splunk-cluster", "created" : "2020-02-27T06:14:33Z", "eventTypeName" : "EVENT2", "groupId" : "xxxxx", "id" : "xxxxx", "isGlobalAdmin" : false, "links" : [ { "href" : "https://example.com/api/v2", "rel" : "self" } ] }, { "created" : "2020-02-27T06:14:32Z", "eventTypeName" : "EVENT3", "groupId" : "xxxxxx", "id" : "xxxxxx", "isGlobalAdmin" : false, "links" : [ { "href" : "https://example.com/api/v2", "rel" : "self" } ], "remoteAddress" : "xx.xx.xx.xx", "userId" : "xxxxxx", "username" : "Sam-test" } ], "totalCount" : 3 } </CODE></PRE> Wed, 30 Sep 2020 04:21:42 GMT https://community.splunk.com/t5/Splunk-Search/Break-individual-events-from-json-array/m-p/479678#M134446 dvarghes 2020-09-30T04:21:42Z https://community.splunk.com/t5/Splunk-Search/Break-individual-events-from-json-array/m-p/479679#M134447 <P>The following line breaker is not working :</P> <PRE><CODE>(\},) </CODE></PRE> Thu, 27 Feb 2020 06:53:20 GMT https://community.splunk.com/t5/Splunk-Search/Break-individual-events-from-json-array/m-p/479679#M134447 dvarghes 2020-02-27T06:53:20Z https://community.splunk.com/t5/Splunk-Search/Break-individual-events-from-json-array/m-p/479680#M134448 <P>I have tried this in props conf, but not working : </P> <PRE><CODE> # props.conf [xxxxxxx] BREAK_ONLY_BEFORE_DATE = false BREAK_ONLY_BEFORE = (\{|\[\s+{) MUST_BREAK_AFTER = (\}|\}\s+\]) SEDCMD-remove_header = s/(\{\s+.+?\[)//g SEDCMD-remove_trailing_commas = s/\},/}/g SEDCMD-remove_footer = s/\]\s+\}//g </CODE></PRE> Thu, 27 Feb 2020 10:03:52 GMT https://community.splunk.com/t5/Splunk-Search/Break-individual-events-from-json-array/m-p/479680#M134448 dvarghes 2020-02-27T10:03:52Z https://community.splunk.com/t5/Splunk-Search/Break-individual-events-from-json-array/m-p/479681#M134449 <P>KV_MODE=JSON<BR /> only.<BR /> OR<BR /> <A href="https://answers.splunk.com/answers/802709/make-extractions-in-propsconf-from-search-query.html">https://answers.splunk.com/answers/802709/make-extractions-in-propsconf-from-search-query.html</A></P> Thu, 27 Feb 2020 21:50:00 GMT https://community.splunk.com/t5/Splunk-Search/Break-individual-events-from-json-array/m-p/479681#M134449 to4kawa 2020-02-27T21:50:00Z https://community.splunk.com/t5/Splunk-Search/Break-individual-events-from-json-array/m-p/479682#M134450 <P>This did not work. All the API response is being considered as a single event.</P> Fri, 28 Feb 2020 08:42:18 GMT https://community.splunk.com/t5/Splunk-Search/Break-individual-events-from-json-array/m-p/479682#M134450 dvarghes 2020-02-28T08:42:18Z https://community.splunk.com/t5/Splunk-Search/Break-individual-events-from-json-array/m-p/479683#M134451 <P><CODE>spath</CODE>can be used single event.<BR /> my Q's solution needs LINE_BREAKER</P> <PRE><CODE>| makeresults | eval _raw="{\"links\":[{\"href\":\"https://example.com/api/v2\",\"rel\":\"self\"}],\"results\":[{\"created\":\"2020-02-27T06:14:34Z\",\"eventTypeName\":\"EVENT1\",\"groupId\":\"xxxxx\",\"id\":\"xxxx\",\"isGlobalAdmin\":false,\"links\":[{\"href\":\"https://example.com/api/v2\",\"rel\":\"self\"}]},{\"clusterName\":\"splunk-cluster\",\"created\":\"2020-02-27T06:14:33Z\",\"eventTypeName\":\"EVENT2\",\"groupId\":\"xxxxx\",\"id\":\"xxxxx\",\"isGlobalAdmin\":false,\"links\":[{\"href\":\"https://example.com/api/v2\",\"rel\":\"self\"}]},{\"created\":\"2020-02-27T06:14:32Z\",\"eventTypeName\":\"EVENT3\",\"groupId\":\"xxxxxx\",\"id\":\"xxxxxx\",\"isGlobalAdmin\":false,\"links\":[{\"href\":\"https://example.com/api/v2\",\"rel\":\"self\"}],\"remoteAddress\":\"xx.xx.xx.xx\",\"userId\":\"xxxxxx\",\"username\":\"Sam-test\"}],\"totalCount\":3}" | spath </CODE></PRE> <P>your JSON is valid JSON. <CODE>KV_MODE=JSON</CODE> will run.<BR /> maybe, your <EM>props.conf</EM> has extra line breakers, so it's not work.</P> Fri, 28 Feb 2020 09:00:32 GMT https://community.splunk.com/t5/Splunk-Search/Break-individual-events-from-json-array/m-p/479683#M134451 to4kawa 2020-02-28T09:00:32Z