Re: Splunk Add-on for Microsoft Cloud Services not...

hughkelley · ‎07-07-2021

The add-on fails to line break JSON docs into separate events/logs when pulling from an event hub.

Certain Azure services seem to write multiple JSON docs to a single event hub message.

Is there an option to correct this parsing?

{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........
{"body":{"records": {"DataCenterName": "East US 2", "DeploymentUnit": "xyz", "EventId": 160, "EventName": "AzureBackupCentralReport", "properties": {"VaultUniqueId": ".........

JkNo · ‎07-22-2021

Add the following to props.conf

[yoursourcetypename]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=json
KV_MODE=none
SHOULD_LINEMERGE=true
category=Structured
description=JavaScript Object Notation format. For more information, visit http://json.org/
disabled=false
pulldown_type=true

dfronck · ‎09-04-2021

We get these too but only when the add-on first starts. Then it seems like everything line breaks correctly.

The suggested props config did not fix this for us.

vmhenard · ‎10-06-2021

Hello,

We have the same issue, we are currently using a Regex line breaker to remove the outer layers of json added by the event-hub (as well as the x-opt-sequence-number, x-opt-offset and x-opt-enqueued-time fields) and only get the events themselves.

It is not ideal, but it works so far.

(\s*\{\"body\"\:\{\"records\"\:\s*\[)|((?<=\}),(?=\{\s*\"))|((?<=\})\]\},\"x-opt.*\}\s*\{\"body\"\:\{\"records\"\:\s*\[)|((?<=\})\]\},\"x-opt.*\})

First group catches the first of new messages, second group catches the events nested in records, third groups catches the end of a message and the start of a new one, fourth group catches the end of the last message.
Hope this helps, it might need to be tweaked depending on the resource.

Splunk Add-on for Microsoft Cloud Services not line breaking JSON docs from event hub

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation