Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Re: Splunk Add-on for Microsoft Cloud Services not...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Add-on for Microsoft Cloud Services not line breaking JSON docs from event hub
The add-on fails to line break JSON docs into separate events/logs when pulling from an event hub.
Certain Azure services seem to write multiple JSON docs to a single event hub message.
Is there an option to correct this parsing?
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add the following to props.conf
[yoursourcetypename]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=json
KV_MODE=none
SHOULD_LINEMERGE=true
category=Structured
description=JavaScript Object Notation format. For more information, visit http://json.org/
disabled=false
pulldown_type=true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We get these too but only when the add-on first starts. Then it seems like everything line breaks correctly.
The suggested props config did not fix this for us.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We have the same issue, we are currently using a Regex line breaker to remove the outer layers of json added by the event-hub (as well as the x-opt-sequence-number, x-opt-offset and x-opt-enqueued-time fields) and only get the events themselves.
It is not ideal, but it works so far.
(\s*\{\"body\"\:\{\"records\"\:\s*\[)|((?<=\}),(?=\{\s*\"))|((?<=\})\]\},\"x-opt.*\}\s*\{\"body\"\:\{\"records\"\:\s*\[)|((?<=\})\]\},\"x-opt.*\})
First group catches the first of new messages, second group catches the events nested in records, third groups catches the end of a message and the start of a new one, fourth group catches the end of the last message.
Hope this helps, it might need to be tweaked depending on the resource.
Accelerating Observability as Code with the Splunk AI Assistant
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
