Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Linebreaking issue with Azure Keyvault sourcetype

gazoscreek
Path Finder
a week ago

I have multiple formats of json data coming in from Azure Keyvault. I can't seem to get the linebreaking to work properly and Splunk AddOn for Microsoft Cloudservices doesn't provide any props for many of these json blobs.

( multiple matching lines per ingested event }

{ "count": 1, "total": 1, "minimum": 1, "maximum": 1, "average": 1, "resourceId": "/SUBSCRIPTIONS/blah/blah", "time": "2025-05-07T14:08:00.0000000Z", "metricName": "ServiceApiHit", "timeGrain": "PT1M"}
{ "count": 1, "total": 14, "minimum": 14, "maximum": 14, "average": 14, "resourceId": "/SUBSCRIPTIONS/blah/blah", "time": "2025-05-07T14:08:00.0000000Z", "metricName": "ServiceApiLatency", "timeGrain": "PT1M"}

And some look like this:

{ "time": "2025-05-07T14:07:58.7286344Z", "category": "AuditEvent", ....... "13"}
{ "time": "2025-05-07T14:08:02.8617508Z", "category": "AuditEvent", ....... "13"}


I've tried numerous combinations of regexes ... nothing's working.

LINE_BREAKER = (\}([\r\n]\s*,[\r\n]\s*){|\{\s+\"(count|time)\")

Any suggestions would be greatly helpful.




Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
Super Champion
a week ago

Hi @gazoscreek 

I think the line breaker regex is too complicated for what you're receiving I would expect the following to work for you:

[azure:keyvault]
LINE_BREAKER = ([\r\n]+)\{
SHOULD_LINEMERGE = false
TRUNCATE = 0
TIME_PREFIX = \"time\":\s*\"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%N
MAX_TIMESTAMP_LOOKAHEAD = 30

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
Super Champion
a week ago

Hi @gazoscreek 

I think the line breaker regex is too complicated for what you're receiving I would expect the following to work for you:

[azure:keyvault]
LINE_BREAKER = ([\r\n]+)\{
SHOULD_LINEMERGE = false
TRUNCATE = 0
TIME_PREFIX = \"time\":\s*\"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%N
MAX_TIMESTAMP_LOOKAHEAD = 30

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Solved! Jump to solution

gazoscreek
Path Finder
a week ago

Thank you. THis worked perfectly!

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
Influencer
a week ago

@gazoscreek 

I took sample events and tried in my lab, please have a look 

Sample events: Mixed Metric and Audit Events

{ "count": 3, "total": 3, "minimum": 3, "maximum": 3, "average": 3, "resourceId": "/SUBSCRIPTIONS/blah/blah", "time": "2025-05-07T14:08:00.0000000Z", "metricName": "ServiceApiError", "timeGrain": "PT1M"}
{
"time": "2025-05-07T14:08:04.9876543Z",
"category": "AuditEvent",
"operationName": "DeleteSecret",
"status": "Succeeded",
"callerIpAddress": "52.191.18.74",
"clientRequestId": "abcdef-12345-67890",
"correlationId": "67890-abcdef-12345",
"resourceId": "/SUBSCRIPTIONS/blah/blah"
}

 

[sourcetype ]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n\s]*)(?=\{)
TIME_PREFIX="time":\s*"
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%7QZ
MAX_TIMESTAMP_LOOKAHEAD=50
TRUNCATE=0
CHARSET=UTF-8
INDEXED_EXTRACTIONS=JSON

kiran_panchavat_0-1746628975076.png

kiran_panchavat_1-1746628997398.png

kiran_panchavat_2-1746629144043.png

kiran_panchavat_3-1746629197794.png

 

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

gazoscreek
Path Finder
a week ago

Thank you ... both posted solutions worked perfectly. Much appreciated.


Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...