Solved: Another JSON Event Break Assistance request ..

Esky73 · ‎09-21-2017

An excerpt from my JSON output ...

Trying to Event break at the following line "type": "story", where a new event begins.

Have tried several posts but cannot get it working currently.

{
"total_count": 195,
"data": [
{
"type": "story",
"creation_time": "2017-09-06T01:29:57Z",
"parent": {
"type": "feature",
"id": "45003"
},
"version_stamp": 18,
"release": {
"type": "release",
"id": "14001"
},
"sprint": {
"type": "sprint",
"id": "21001"
},
"description": null,
"invested_hours": 4,
"id": "41051",
"last_modified": "2017-09-18T05:30:31Z",
"phase": {
"type": "phase",
"id": "4029"
},
"owner": {
"type": "workspace_user",
"id": "13010"
},
"author": {
"type": "workspace_user",
"id": "13001"
},
"story_points": null,
"product_areas": {
"total_count": 0,
"data": []
},
"team": {
"type": "team",
"id": "4001"
},
"remaining_hours": 0,
"user_tags": {
"total_count": 0,
"data": []
},
"name": "Add portlet to PSR - tasks planned and milestones",
"estimated_hours": 9
},
{
"type": "story",
"creation_time": "2017-07-31T02:08:15Z",
"parent": {
"type": "feature",
"id": "26056"
},
"version_stamp": 15,
"release": {
"type": "release",
"id": "12002"
},
"sprint": {
"type": "sprint",
"id": "19003"
},
"description": null,
"invested_hours": 0,
"id": "28001",
"last_modified": "2017-08-31T03:13:37Z",
"phase": {
"type": "phase",
"id": "4030"
},
"owner": {
"type": "workspace_user",
"id": "13010"
},
"author": {
"type": "workspace_user",
"id": "13001"
},
"story_points": 0,
"product_areas": {
"total_count": 0,
"data": []
},
"team": {
"type": "team",
"id": "4001"
},
"remaining_hours": 0,
"user_tags": {
"total_count": 0,
"data": []
},
"name": "As a PM, I can manage Projects of the NEC DTS Project Type",
"estimated_hours": 0
},
{
"type": "story",
"creation_time": "2017-07-21T05:11:24Z",
"parent": {
"type": "feature",
"id": "23069"
},
"version_stamp": 14,
"release": {
"type": "release",
"id": "12002"
},
"sprint": {
"type": "sprint",
"id": "19003"
},
"description": null,
"invested_hours": 1,
"id": "26060",
"last_modified": "2017-08-04T03:02:16Z",
"phase": {
"type": "phase",
"id": "4030"
},
"owner": {
"type": "workspace_user",
"id": "6001"
},
"author": {
"type": "workspace_user",
"id": "1008"
},
"story_points": 1,
"product_areas": {
"total_count": 0,
"data": []
},
"team": {
"type": "team",
"id": "4001"
},
"remaining_hours": 0,
"user_tags": {
"total_count": 0,
"data": []
},
"name": "As a BA I can assign requirements to PPM work packages. (many to many relationship)",
"estimated_hours": 1
},

Esky73 · ‎09-21-2017

Solved it with the following .. and the KV_MODE extracts all the fields as well.

[ octane_json ]
BREAK_ONLY_BEFORE=(^)\s{4}{
CHARSET=UTF-8
KV_MODE=json
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
category=Custom
description=JavaScript Object Notation format. For more information, visit http://json.org/
disabled=false
pulldown_type=true

View solution in original post

Esky73 · ‎09-21-2017

Solved it with the following .. and the KV_MODE extracts all the fields as well.

[ octane_json ]
BREAK_ONLY_BEFORE=(^)\s{4}{
CHARSET=UTF-8
KV_MODE=json
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
category=Custom
description=JavaScript Object Notation format. For more information, visit http://json.org/
disabled=false
pulldown_type=true

Another JSON Event Break Assistance request ..

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation