Re: Event Break JSON

thufirtan · ‎03-25-2013

Hi, I am trying to ingest JSON data into Splunk but I am having difficulties setting up the event breaks. What is the best way to do this?

Jordan_Brough · ‎06-29-2013

Assuming that each json event blob starts on a new line with an opening brace { Then this seems to be working for me:

[json]
KV_MODE = json
LINE_BREAKER = "(^){"
NO_BINARY_CHECK = 1
TRUNCATE = 0
SHOULD_LINEMERGE = false

sbitterman · ‎04-09-2015

Where did you specify this logic? In your $SPUNK_HOME/etc/system/local/props.conf? That's where I'm trying to define this logic to get my events correct when using the Splunk Forwarder, but not having any success. 😞

RaistlinLinden · ‎07-01-2015

I would really like to know the answer to this as we are having the same problem. We are using the splunk cloud and do not know where to put this logic. On a config file on the cloud server?

mjoseff_splunk · ‎10-05-2016

$SPLUNK_HOME/etc/system/local/props.conf

lpolo · ‎02-19-2014

I used this approach to address my question:

http://answers.splunk.com/answers/121098/iterate-the-extraction-of-json-objects-using-splunk-query-l...

However, I think that this approach has the problem that the json objects are not split into events. Therefore, any aggregation function will not work as expected. Any idea?

niordache · ‎10-03-2013

Worked for me ! Json object is not splitted in several events .

Event Break JSON

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

Detect and Resolve Issues in a Kubernetes Environment