- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to configure props.conf to break JSON into eve...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all.
I'm getting some JSON files from API figures.
This is what I receive:
"2015-08-02": {
"downloads": 49,
"updates": 4,
"returns": 0,
"net_downloads": 49,
"promos": 0,
"revenue": "54.98",
"edu_downloads": 0,
"gifts": 0,
"gift_redemptions": 0,
"date": "2015-08-02"
},
"2015-08-03": {
"downloads": 41,
"updates": 6,
"returns": 0,
"net_downloads": 41,
"promos": 0,
"revenue": "0.00",
"edu_downloads": 0,
"gifts": 0,
"gift_redemptions": 0,
"date": "2015-08-03"
},
"2015-08-04": {
"downloads": 71,
"updates": 5,
"returns": 0,
"net_downloads": 71,
"promos": 0,
"revenue": "53.07",
"edu_downloads": 0,
"gifts": 0,
"gift_redemptions": 0,
"date": "2015-08-04"
}
I'm trying to create a sourcetype for this (Data input -> Set Sourcetype) since _json did not work, but no success so far. I was not able to break it into events and get the correct timestamp.
How can I configure the props.conf so I can brake the events and get the timestamp?
Thanks is advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your JSON data is not well formatted as it looks like you have multiple events in a single json object. For json settings to work your data must look something like whats below foreach event:
{"2015-08-02": {
"downloads": 49,
"updates": 4,
"returns": 0,
"net_downloads": 49,
"promos": 0,
"revenue": "54.98",
"edu_downloads": 0,
"gifts": 0,
"gift_redemptions": 0,
"date": "2015-08-02"
}
}
The way you appear to be breaking data your event looks something like what below which is not proper json:
"2015-08-02": {
"downloads": 49,
"updates": 4,
"returns": 0,
"net_downloads": 49,
"promos": 0,
"revenue": "54.98",
"edu_downloads": 0,
"gifts": 0,
"gift_redemptions": 0,
"date": "2015-08-02"
}
You could write a script to encapsulate each event in {}.
If you just care about breaking the event correctly and not about it being in proper json you could use the following
[kindofJSON]
BREAK_ONLY_BEFORE="\d{4}-\d{2}-\d{2}":
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your JSON data is not well formatted as it looks like you have multiple events in a single json object. For json settings to work your data must look something like whats below foreach event:
{"2015-08-02": {
"downloads": 49,
"updates": 4,
"returns": 0,
"net_downloads": 49,
"promos": 0,
"revenue": "54.98",
"edu_downloads": 0,
"gifts": 0,
"gift_redemptions": 0,
"date": "2015-08-02"
}
}
The way you appear to be breaking data your event looks something like what below which is not proper json:
"2015-08-02": {
"downloads": 49,
"updates": 4,
"returns": 0,
"net_downloads": 49,
"promos": 0,
"revenue": "54.98",
"edu_downloads": 0,
"gifts": 0,
"gift_redemptions": 0,
"date": "2015-08-02"
}
You could write a script to encapsulate each event in {}.
If you just care about breaking the event correctly and not about it being in proper json you could use the following
[kindofJSON]
BREAK_ONLY_BEFORE="\d{4}-\d{2}-\d{2}":
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using break only before, or break only after... and time prefix:
[jsonsourcetype]
BREAK_ONLY_BEFORE=},|}
TIME_PREFIX = "date":
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
