https://community.splunk.com/t5/Splunk-Search/How-can-I-split-JSON-into-multiple-events/m-p/431190#M174222 <P>Hi,</P> <P>can anyone help me a bit? i am trying to split an event in more lines or more events, every events got multiple lines starting with the below</P> <PRE><CODE>{"class": </CODE></PRE> <P>what i want is to parse every line as separated event</P> <P>i tried with line breaker and event breaker, but i am not really god at regex</P> <P>props.conf</P> <PRE><CODE>[source:/opt/api/shared/log/sidekiq.log] EVENT_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = false </CODE></PRE> <P>also i got this error message in splunkd.log</P> <PRE><CODE>AggregatorMiningProcessor - Changing breaking behavior for event stream because MAX_EVENTS (256) was exceeded without a single event break. Will set BREAK_ONLY_BEFORE_DATE to False, and unset any MUST_NOT_BREAK_BEFORE or MUST_NOT_BREAK_AFTER rules. Typically this will amount to treating this data as single-line only. - data_source="/log/sidekiq.log", data_host="blabla", data_sourcetype="ruby_on_rails" </CODE></PRE> <P>Thanks!</P> Fri, 07 Dec 2018 12:40:21 GMT 0xlc 2018-12-07T12:40:21Z https://community.splunk.com/t5/Splunk-Search/How-can-I-split-JSON-into-multiple-events/m-p/431190#M174222 <P>Hi,</P> <P>can anyone help me a bit? i am trying to split an event in more lines or more events, every events got multiple lines starting with the below</P> <PRE><CODE>{"class": </CODE></PRE> <P>what i want is to parse every line as separated event</P> <P>i tried with line breaker and event breaker, but i am not really god at regex</P> <P>props.conf</P> <PRE><CODE>[source:/opt/api/shared/log/sidekiq.log] EVENT_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = false </CODE></PRE> <P>also i got this error message in splunkd.log</P> <PRE><CODE>AggregatorMiningProcessor - Changing breaking behavior for event stream because MAX_EVENTS (256) was exceeded without a single event break. Will set BREAK_ONLY_BEFORE_DATE to False, and unset any MUST_NOT_BREAK_BEFORE or MUST_NOT_BREAK_AFTER rules. Typically this will amount to treating this data as single-line only. - data_source="/log/sidekiq.log", data_host="blabla", data_sourcetype="ruby_on_rails" </CODE></PRE> <P>Thanks!</P> Fri, 07 Dec 2018 12:40:21 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-split-JSON-into-multiple-events/m-p/431190#M174222 0xlc 2018-12-07T12:40:21Z https://community.splunk.com/t5/Splunk-Search/How-can-I-split-JSON-into-multiple-events/m-p/431191#M174223 <P>Hi! I think you are missing a colon in the first line. Try</P> <PRE><CODE>[source::/opt/api/shared/log/sidekiq.log] </CODE></PRE> <P>instead of</P> <PRE><CODE>[source:/opt/api/shared/log/sidekiq.log] </CODE></PRE> Fri, 07 Dec 2018 14:01:22 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-split-JSON-into-multiple-events/m-p/431191#M174223 whrg 2018-12-07T14:01:22Z https://community.splunk.com/t5/Splunk-Search/How-can-I-split-JSON-into-multiple-events/m-p/431192#M174224 <P>well that did the trick! Thanks</P> <P>now i need to parse the nested list inside the same line.</P> <P>i'll have a look around here propably there is already the answer</P> <P>i am trying with spath but is not working</P> <P>i got something like:</P> <PRE><CODE>{"class":"EventsWorker","args":["{\"id\"=187918,....] </CODE></PRE> <P>i can't extract args, i tried:</P> <PRE><CODE>mysearch | spath path=args{} output=args </CODE></PRE> Fri, 07 Dec 2018 16:27:09 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-split-JSON-into-multiple-events/m-p/431192#M174224 0xlc 2018-12-07T16:27:09Z