Help extracting json at index time

olegr · ‎07-10-2023

Hello,

I have a scripted input that runs a py script which returns json in this format in a single line:

[
    {
        "address": "blah@blah.com",
        "timeRanges":
        [
            {
                "start": "2023-05-22T12:59:00.000Z",
                "end": "2023-05-25T13:48:19.000Z",
            },
            {
                "start": "2023-06-12T04:06:56.000Z",
            }
        ],
    },
    {
        "address": "blah1@blah1.com",
        "timeRanges":
        [
            {
                "start": "2023-07-01T15:00:00.000Z",
                "end": "2023-07-05T04:38:08.000Z",
            }
        ],
   }
]

Splunk indexes everything as a single record as below.

Looking for a way to extract each object into its own record. When I import the file via the GUI, it parses it correctly, but not via the scripted input. Props:

[my-source-type]
NO_BINARY_CHECK = true
INDEXED_EXTRACTIONS = json
KV_MODE = none
SHOULD_LINEMERGE = true
TRUNCATE = 0

Help extracting json at index time

scripted input

Enhance Your Splunk App Development: New Tools & Support

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Are you a member of the Splunk Community?

Help extracting json at index time

scripted input

Enhance Your Splunk App Development: New Tools & Support

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code