Issues with event parsing using prop configuration file

SplunkDash — Wed, 28 Feb 2024 01:58:25 GMT

Hello,

I have some issues with parsing events and a few sample events are given below:

{"eventVer":"2.56", "userId":"A021", "accountId":"Adm01", "accessKey":"21asaa", "time":"2023-12-03T09:10:15", "statusCode":"active"} {"eventVer":"2.56", "userId":"A021", "accountId":"Adm01", "accessKey":"21asaa", "time":"2023-12-03T09:09:11", "statusCode":"active"} {"eventVer":"2.56", "userId":"A021", "accountId":"Adm02", "accessKey":"26dsaa", "time":"2023-12-03T09:09:08", "statusCode":"active"} {\"eventVer\":\"2.56", "userId":"B001", "accountId":"Test04", "accessKey":"21fsda", "time":"2023-12-03T09:09:04", "statusCode":"active"} {\"eventVer\":\"2.56", "userId":"B009", "accountId":"Adm01", "accessKey":"21assaa", "time":"2023-12-03T09:09:01", "statusCode":"active"} {"eventVer":"2.56", "userId":"B023", "accountId":"Adm01", "accessKey":"30tsaa", "time":"2023-12-03T09:08:55", "statusCode":"active"} {"eventVer":"2.56", "userId":"A025", "accountId":"Adm01", "accessKey":"21asaa", "time":"2023-12-03T09:08:51", "statusCode":"active"} {"eventVer":"2.56", "userId":"C015", "accountId":"Dev01", "accessKey":"41scab", "time":"2023-12-03T09:08:48", "statusCode":"active"}

The event breaking point is marked as Bold and I used

LINE_BREAKER=([\r\n]*)\{"eventVer":"

in my prop.conf file, but not parsing all events as expected. Any recommendations will be highly appreciated. Thank you.

Re: Issues with event parsing using prop configuration file

victor_menezes — Wed, 28 Feb 2024 02:40:29 GMT

Looks like you don't have nested json events in there, so have you tried to just regex by the } and { characters?

Try this:
[your_sourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = \}\s+\{

topic Issues with event parsing using prop configuration file in Splunk Search

Issues with event parsing using prop configuration file

Re: Issues with event parsing using prop configuration file