Split event containing a list of objects/records

rohanmiskin · ‎04-28-2022

I have a service that does uploading in bulk per request. Each request will contain a list of 100 records. In splunk i get this list of 100 request as one event. Is there a way i can split this list and generate 100 splunk events through query

Sample log event:

[2022-04-28T09:27:39,755+0000]-[INFO ]-["threadPoolTaskExecutor-1" traceId=8f22a26fcd03cdfdcd186131aa862c09, spanId=c4bb44c1f0561b9b, sampled=false cid=, clu=]-[c.i.v.s.t.k.EventBusConsumer]-[110]-Message. key = null . Size = 5008 . Value = {"items": [{"contactID": "1","firstName": "ricj"},{"contactID": "2","firstName": "rock"},{"contactID": "3","firstName": "rob"}]}

Expected events:

{"contactID": "1","firstName": "rich"}

{"contactID": "2","firstName": "rock"}

{"contactID": "3","firstName": "rob"}

ITWhisperer · ‎04-28-2022

| rex "Value = (?<json>\{.*\})"
| spath input=json items{} output=items
| mvexpand items
| spath input=items

Split event containing a list of objects/records

development

search

troubleshooting

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update