Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure a sourcetype for JSON data to parse each line as a distinct event?

rfitch
Path Finder
‎09-22-2016 10:49 AM

I have an application that logs out single line JSON statements. For some reason when I load this into Splunk, most of the events are being arbitrarily grouped. I want each line to be a distinct event. Here is an example of some event grouping. 

{"correlationId":"19432348-67ec-4942-97b8-afbd5946e450", "logger":"stuff.stuff.controller.Controller", "timestamp":"2016-09-22T11:44:14,799 MDT", "level":"INFO ", "threadId":"", "thread":"stuff-http--76", "threadPriority":"", "message":"stuff API starting"}
{"correlationId":"19432348-67ec-4942-97b8-afbd5946e450", "logger":"stuff.stuff.handler.Handler", "timestamp":"2016-09-22T11:44:15,026 MDT", "level":"INFO ", "threadId":"", "thread":"stuff-http--76", "threadPriority":"", "message":"stuff part of process completed in 225 ms, resourceEndPoint :[/server/stuff/stuff/rest/v2/@@stuffClass@@/]"}

I've tried some different JSON source types and I keep getting this behavior. I've also tried not setting a source type and letting Splunk Cloud determine what it is. Still the same behavior.

How can I force each line into its own event?

Reply

nareshinsvu
Builder
‎07-30-2019 07:15 PM

I had a similar requirement. My logs have normal texts and Json messages.

You can use below settings in your props.conf to extract the json messages as-is and can do rex on each line as you wanted

LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = true

Reply

sloshburch
Splunk Employee
Splunk Employee
‎09-22-2016 11:07 AM

Try KV_MODE=json as per https://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/Propsconf . Additionally, the event breaks can be tuned in the props to occur with newlines and curly brackets. I would imagine the default LINE_BREAKER works but I suppoe you could tune it to LINE_BREAKER=([\r\n]+)\{. See: https://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/Propsconf#Line_breaking

Is your time stamp coming out correctly?

Reply

rfitch
Path Finder
‎09-22-2016 12:44 PM

Gave that a shot and it didn't change anything. The time stamp doesn't work every event, even thought they are structured the same.

Timestamp extract from this event with 2 lines

{"correlationId":"87165dae-6c7f-415f-8133-f30f955cbfb3", "logger":"stuff.XslUtil", "timestamp":"2016-09-22T13:36:58,861 MDT", "level":"INFO ", "threadId":"", "thread":stuff-http--80", "threadPriority":"", "message":"transform operation completed - run timing info: 6 ms"}
{"correlationId":"87165dae-6c7f-415f-8133-f30f955cbfb3", "logger":"stuffController", "timestamp":"2016-09-22T13:36:58,887 MDT", "level":"INFO ", "threadId":"", "thread":"tomcat-http--80", "threadPriority":"", "message":"stuffClasses operation completed - total time: 429 ms"}

Timestamp not extracted from this event with a single line

{"correlationId":"88e9b32e-3666-4615-9eb6-54dc45ac436c", "logger":"kennis.kdp.handler.PassthroughResourceHandler", "timestamp":"2016-09-22T13:36:55,352 MDT", "level":"INFO ", "threadId":"", "thread":"tomcat-http--19", "threadPriority":"", "message":"Denodo part of process completed in 432 ms, resourceEndPoint :[/server/kennis__fund_v2_0/fund_classes/rest/v2/@@fundClass@@/]"}

I'm just dealing with the source types GUI since it's Splunk Cloud. I'd attach some photos, but I don't have enough karma points

Reply

jacobpevans
Motivator
‎07-30-2019 06:27 PM

In a test environment, navigate to Settings > Add data > Upload. Upload a saved file version of your log. Change the sourcetype to _json (or a clone of it), and play with it from there. This is much easier than guessing parameters in .conf files. As an example, once the JSON is properly parsing, you can simply pick timestamp to be the field that _time derives from. Best of luck.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎09-23-2016 05:21 AM

Please share your config up to this point? When adding the data in the GUI you should be able to too this on the left-hand side menu on the bottom.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top