JSON line breaking

mcbradfordwcb · ‎10-14-2019

I am trying to break one big json event into several events, eventually 1080, but in the example below there would be 5 events

I know I need to create a props.conf

This is what I have so far, but it is not working

[me_json]
SHOULD_LINEMERGE        = false
LINE_BREAKER            = ([\r\n]+)agent_installed_dir 
TIME_PREFIX = process_end_time:\s+
TIME_FORMAT = %s%3N

This is a sample of the event, with real data (systems/IPs) removed

{ [-]
   message_response: { [-]
     limit: 5
     page: 1
     scancomputers: [ [-]
       { [-]
         agent_installed_dir: C:\Program Files (x86)\DesktopCentral_Agent\
         agent_installed_on: 1535659874922
         agent_last_contact_time: 1571069154000
         agent_logged_on_users: blah
         agent_version: 10.0.362.W
         branch_office_name: my Computers
         build_number: 18362.418
         computer_live_status: 1
         computer_status_update_time: 1570734355370
         description: --
         domain_netbios_name: mydomain
         error_kb_url: --
         installation_status: 22
         ip_address: 10.100.1.1
         last_successful_scan: 1570718183654
         last_sync_time: 1571072071009
         mac_address: xx:xx:xx:xx:xx:xx
         os_platform: 1
         os_version: 10.0.18362
         osflavor_id: 0
         process_end_time: 1570718183654
         process_start_time: 1569940581295
         resource_id: 3373
         resource_name: blah_blah1
         scan_remarks: dc.common.SCANNING_COMPLETED
         scan_remarks_en: Scanning Completed
         scan_status: 2
         service_pack: Windows 10 Version 1903 (x64)
         service_pack_major_version: 0
         service_pack_minor_version: 0
         software_name: Windows 10 Professional Edition (x64)
         status_label: dc.db.som.status.installed_successfully
       }
       { [-]
         agent_installed_dir: C:\Program Files (x86)\DesktopCentral_Agent\
         agent_installed_on: 1535662084385
         agent_last_contact_time: 1571070178000
         agent_logged_on_users: --
         agent_version: 10.0.362.W
         branch_office_name: my Computers
         build_number: 7601.24524
         computer_live_status: 1
         computer_status_update_time: 1570737696974
         description: --
         domain_netbios_name: mydomain
         error_kb_url: --
         installation_status: 22
         ip_address: 10.100.1.2
         last_successful_scan: 1570716193151
         last_sync_time: 1571072071009
         mac_address: xx:xx:xx:xx:xx:xx
         os_platform: 1
         os_version: 6.1.7601
         osflavor_id: 0
         process_end_time: 1570716193151
         process_start_time: 1569573982199
         resource_id: 3539
         resource_name: blah_blah2
         scan_remarks: dc.common.SCANNING_COMPLETED
         scan_remarks_en: Scanning Completed
         scan_status: 2
         service_pack: Windows 7 SP1 (x64)
         service_pack_major_version: 1
         service_pack_minor_version: 0
         software_name: Windows 7 Professional Edition (x64)
         status_label: dc.db.som.status.installed_successfully
       }
       { [+]
       }
       { [+]
       }
       { [+]
       }
     ]
     total: 1080
   }
   message_type: scancomputers
   message_version: 1.0
   status: success
}

kamlesh_vaghela · ‎10-14-2019

@mcbradfordwcb

Please share _raw event in the code block.

JSON line breaking

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!