Getting Data In
Highlighted

How do we assign each JSON document to a distinct event?

Ultra Champion

We have a case in which multiple json documents are being clamped together into one Splunk event. How do we untangle it?

0 Karma
Highlighted

Re: How do we assign each JSON document to a distinct event?

SplunkTrust
SplunkTrust

Hi @ddrillic,

Can you please provide some sample data?

0 Karma
Highlighted

Re: How do we assign each JSON document to a distinct event?

Legend

@ddrillic also add what is your current sourcetype stanza for JSON data?

0 Karma
Highlighted

Re: How do we assign each JSON document to a distinct event?

Ultra Champion

@niketnilay, sorry for the delay. We didn't set anything in the configuration files.

0 Karma
Highlighted

Re: How do we assign each JSON document to a distinct event?

SplunkTrust
SplunkTrust

Hi ddrillic,

This usually happens when you have brackets at the beginning of your JSON containing the entire document. It makes it as if the entire document is a value for one of the elements. You should set up a sedcmd in your props to clear this up, or clear it via script before the data gets into Splunk.

If you post a copy of the header/end of your JSON file I can help you set up the sedcmd.

Regards,
David

0 Karma
Highlighted

Re: How do we assign each JSON document to a distinct event?

Ultra Champion

Interesting - it looks like {"userDetails":{...."message":null} followed by another one like this one - {"userDetails":{...."message":null}...

0 Karma
Highlighted

Re: How do we assign each JSON document to a distinct event?

SplunkTrust
SplunkTrust

if your lines are always starting with a new element you can go for this config :

[yourSourcetype]
BREAK_ONLY_BEFORE = ^\{
0 Karma
Highlighted

Re: How do we assign each JSON document to a distinct event?

SplunkTrust
SplunkTrust

LINE_BREAKER would be a much better approach than BREAK_ONLY_BEFORE

0 Karma
Highlighted

Re: How do we assign each JSON document to a distinct event?

SplunkTrust
SplunkTrust

why do you say that ?

0 Karma
Highlighted

Re: How do we assign each JSON document to a distinct event?

SplunkTrust
SplunkTrust

If you set SHOULD_LINEMERGE = false and use LINE_BREAKER, this will skip the merging pipeline and give a performance boost

http://wiki.splunk.com/Community:HowIndexingWorks

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.