Archive

Json parsing - event breaks

Path Finder

Below is my event :

[ [-]
{ [-]
created_at: 2019-08-28T13:48:48.722Z

credibility_score: -5
email: swathi.nandigam@xx.ae

id: 625

last_reported_at: 2019-08-28T13:52:48.000Z

reports_count: 1

updated_at: 2019-08-28T13:48:51.519Z

vip: false

}

{ [-]
created_at: 2019-08-28T04:46:22.106Z

credibility_score: 0

email: richard.talian@xx.ae

id: 624

last_reported_at: 2019-08-28T04:48:36.000Z

reports_count: 1

updated_at: 2019-08-28T04:46:24.169Z

vip: false

}

{ [-]
created_at: 2019-08-25T03:50:59.412Z

credibility_score: -5
email: muhammad.irfan@xx.ae

id: 623

last_reported_at: 2019-08-26T15:14:33.000Z

reports_count: 2

updated_at: 2019-08-26T15:10:40.260Z

vip: false

}
}

i want to break every single event , taking timestamp of my last_reported_at field .

Below is my props.conf

[xxx]
SHOULD_LINEMERGE = false
category = Splunk App Add-on Builder
pulldown_type = 1
KV_MODE = json
NO_BINARY_CHECK = true
TRUNCATE = 0
TIME_PREFIX = "last_reported_at":"

Please correct whats wrong with my props.conf

Tags (1)
0 Karma

Communicator

I had an experience similar to you and I finally had to modify the script who generates the json to avoid using arrays. I mean json like this:

[
{ [-]
created_at: 2019-08-28T13:48:48.722Z
credibility_score: -5
email: swathi.nandigam@xx.ae
id: 625
last_reported_at: 2019-08-28T13:52:48.000Z
reports_count: 1
updated_at: 2019-08-28T13:48:51.519Z
vip: false
}
{ [-]
created_at: 2019-08-28T04:46:22.106Z
credibility_score: 0
email: richard.talian@xx.ae
id: 624
last_reported_at: 2019-08-28T04:48:36.000Z
reports_count: 1
updated_at: 2019-08-28T04:46:24.169Z
vip: false
} 
]

It did not work for me. I had to remove the array and had json like this:

{ [-]
created_at: 2019-08-28T13:48:48.722Z
credibility_score: -5
email: swathi.nandigam@xx.ae
id: 625
last_reported_at: 2019-08-28T13:52:48.000Z
reports_count: 1
updated_at: 2019-08-28T13:48:51.519Z
vip: false
}
{ [-]
created_at: 2019-08-28T04:46:22.106Z
credibility_score: 0
email: richard.talian@xx.ae
id: 624
last_reported_at: 2019-08-28T04:48:36.000Z
reports_count: 1
updated_at: 2019-08-28T04:46:24.169Z
vip: false
} 

The the sourcetype _json worked perfectly.

0 Karma

Path Finder

so please accept my answer.

0 Karma

Path Finder

hi @riqbal47010 yes it worked . but when i give table command the values are coming double .How can i resolve that

0 Karma

Path Finder

please define the source type as

sourcetype = _json

0 Karma

Path Finder

hi if i define sourcetype=_json , it gets only the first event { [-]
created_at: 2019-08-28T13:48:48.722Z
credibility_score: -5
email: swathi.nandigam@xx.ae
id: 625
last_reported_at: 2019-08-28T13:52:48.000Z
reports_count: 1
updated_at: 2019-08-28T13:48:51.519Z
vip: false
}

0 Karma

SplunkTrust
SplunkTrust

@Nadhiyaa

Can you please share sample event in the code block.

like event

OR

event
0 Karma

Path Finder
[ [-] 
{ [-] 
created_at: 2019-08-28T13:48:48.722Z 
credibility_score: -5 
email: swathi.nandigam@xx.ae 
id: 625 
last_reported_at: 2019-08-28T13:52:48.000Z 
reports_count: 1 
updated_at: 2019-08-28T13:48:51.519Z 
vip: false 
} 
{ [-] 
created_at: 2019-08-28T04:46:22.106Z 
credibility_score: 0 
email: richard.talian@xx.ae 
id: 624 
last_reported_at: 2019-08-28T04:48:36.000Z 
reports_count: 1 
updated_at: 2019-08-28T04:46:24.169Z 
vip: false 
} 
{ [-] 
created_at: 2019-08-25T03:50:59.412Z 
credibility_score: -5 
email: muhammad.irfan@xx.ae 
id: 623 
last_reported_at: 2019-08-26T15:14:33.000Z 
reports_count: 2 
updated_at: 2019-08-26T15:10:40.260Z 
vip: false 
}
}
0 Karma