Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me split a JSON event with regex in props.conf?

keiran_harris
Path Finder
‎12-28-2018 08:12 PM

Hi guru's:

i have JSON data that looks like the below. 

{
    "BOMxmlDlTime": 0.6584670543670654,
    "TODAY-PLUS-0": {
        "BOMPREDdate": "2018-12-29",
        "BOMPREDdescBrief": "Sunny.",
        "BOMPREDfireDanger": "Very High",
        "BOMPREDiconCode": 1,
        "BOMPREDrainChance": 0,
        "BOMPREDtempMax": 30
    },
    "TODAY-PLUS-1": {
        "BOMPREDdate": "2018-12-30",
        "BOMPREDdescBrief": "Mostly sunny.",
        "BOMPREDiconCode": 3,
        "BOMPREDrainChance": 5,
        "BOMPREDtempMax": 31,
        "BOMPREDtempMin": 22
    },
    "TODAY-PLUS-2": {
        "BOMPREDdate": "2018-12-31",
        "BOMPREDdescBrief": "Possible shower.",
        "BOMPREDiconCode": 17,
        "BOMPREDrainChance": 40,
        "BOMPREDtempMax": 31,
        "BOMPREDtempMin": 22
    },
    "kCryptoDictType": "BOMpredictions"
}

I want to split each chunk of "TODAY-PLUS-X: { xxxxxx }," into its own event. I've been reading and attempting various things for the last few hours and nothing I can seem to do allows me to do this. The obvious place to split it would be at the line with: 

},

... so ive been playing with various combinations of MUST_BREAK_AFTER with regex in props.conf to do this, but nothing seems to make the event split. Here's my current props.conf (in the /etc/system/local/ directory, but have also tried in the /etc/app/xxxxx/local). And, I've been doing a full Splunk restart each time I edit props.conf if anyone was wondering. The last 5 lines i think are bits I've been manually editing (the first bits are auto created from the GUI when o created my new _jsonFUTURE sourcetype

[_jsonFUTURE]
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = true
category = Structured
description = K - required by BOM predictions data (needs special event splitting and date extraction logic)
disabled = false
pulldown_type = 1
BREAK_ONLY_BEFORE_DATE = false
MUST_BREAK_AFTER = \},
TIME_PREFIX = \"BOMPREDdate\":\s+\"
TIME_FORMAT = %y-%m-%d
MAX_DAYS_HENCE = 7

Can anyone please tell me what I'm doing wrong? I'm pulling my hair out !!!!

Thanks in advance guys,

K.

0 Karma
Reply

keiran_harris
Path Finder
‎01-04-2019 10:13 PM

Just circling back an updating here. Couldn't get the above to work.
So i fixed it by re-writing my code to structure the JSON in a way that splunk would inherently split it, without any tweaking of props.conf.

heres what it spits out now, and splu7nk is parsing, just fine: 

{
    "BOMPREDapiPollTime": 1546140373.072095, 
    "BOMPREDdate": "2018-12-30T11:44:43+11:00", 
    "BOMPREDdescBrief": "Mostly sunny.", 
    "BOMPREDdescDetail": "Hot and mostly sunny. Winds west to northwesterly 15 to 20 km/h shifting east to northeasterly 15 to 25 km/h in the late morning and early afternoon then becoming light in the late evening.", 
    "BOMPREDfireDanger": "Very High", 
    "BOMPREDiconCode": 3, 
    "BOMPREDrainChance": 10, 
    "BOMPREDtempMax": 32, 
    "BOMPREDuvAlert": "Sun protection 8:30am to 5:20pm, UV Index predicted to reach 13 [Extreme]"
}
{
    "BOMPREDapiPollTime": 1546140373.072095, 
    "BOMPREDdate": "2018-12-31T00:00:00+11:00", 
    "BOMPREDdescBrief": "Shower or two.", 
    "BOMPREDdescDetail": "Partly cloudy. Medium (50%) chance of showers, most likely in the evening. The chance of a thunderstorm in the afternoon and evening. Light winds becoming northeasterly 15 to 20 km/h in the evening then becoming light in the late evening.", 
    "BOMPREDiconCode": 11, 
    "BOMPREDrainChance": 50, 
    "BOMPREDrainMM": "0 to 1 mm", 
    "BOMPREDtempMax": 29, 
    "BOMPREDtempMin": 22
}
{
    "BOMPREDapiPollTime": 1546140373.072095, 
    "BOMPREDdate": "2019-01-01T00:00:00+11:00", 
    "BOMPREDdescBrief": "Mostly sunny.", 
    "BOMPREDdescDetail": "Partly cloudy. Slight (20%) chance of a shower. The chance of a thunderstorm in the morning. Light winds becoming northeasterly 15 to 20 km/h during the day then becoming light during the afternoon.", 
    "BOMPREDiconCode": 3, 
    "BOMPREDrainChance": 20, 
    "BOMPREDtempMax": 30, 
    "BOMPREDtempMin": 23
}
0 Karma
Reply

woodcock
Esteemed Legend
‎02-08-2019 02:23 PM

You need to click Accept to close this question.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-29-2018 12:45 AM

Hi keiran_harris,
try something like this

NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=\"TODAY-PLUS-\d+\":
CHARSET=AUTO
disabled=false
pulldown_type=true
TIME_FORMAT=%Y-%m-%d
TIME_PREFIX=\"BOMPREDdate\":\ "

Bye.
Giuseppe

0 Karma
Reply

keiran_harris
Path Finder
‎12-29-2018 02:54 AM

Ill give it a go. So is the main difference with your suggestion is use BREAK_ONLY_BEFORE rather than MUST_BREAK_AFTER i guess. Whats the logic there? Ill let you know as soon as i can retest thanks, keiran.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-31-2019 06:03 AM

Hi keiran_harris,
if you're satisfied by this answer, please accept and/or upvote it.

Bye, see next time.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...