Re: Event Break JSON

thufirtan · ‎03-25-2013

Hi, I am trying to ingest JSON data into Splunk but I am having difficulties setting up the event breaks. What is the best way to do this?

Jordan_Brough · ‎06-29-2013

Assuming that each json event blob starts on a new line with an opening brace { Then this seems to be working for me:

[json]
KV_MODE = json
LINE_BREAKER = "(^){"
NO_BINARY_CHECK = 1
TRUNCATE = 0
SHOULD_LINEMERGE = false

sbitterman · ‎04-09-2015

Where did you specify this logic? In your $SPUNK_HOME/etc/system/local/props.conf? That's where I'm trying to define this logic to get my events correct when using the Splunk Forwarder, but not having any success. 😞

RaistlinLinden · ‎07-01-2015

I would really like to know the answer to this as we are having the same problem. We are using the splunk cloud and do not know where to put this logic. On a config file on the cloud server?

mjoseff_splunk · ‎10-05-2016

$SPLUNK_HOME/etc/system/local/props.conf

lpolo · ‎02-19-2014

I used this approach to address my question:

http://answers.splunk.com/answers/121098/iterate-the-extraction-of-json-objects-using-splunk-query-l...

However, I think that this approach has the problem that the json objects are not split into events. Therefore, any aggregation function will not work as expected. Any idea?

niordache · ‎10-03-2013

Worked for me ! Json object is not splitted in several events .

Event Break JSON

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation