Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure props.conf to line break data in json format?

jedatt01
Builder
‎09-04-2014 10:55 AM

I have events that are coming in 'kinda' json format. I can't get KV_MODE=json to work so I was going to try and do the line breaking and field extraction manually. 2 sample events below. Please help. 

{
            "_id" : ObjectId("123456"),
            "notificationId" : 1234567,
            "notificationTime" : "4/9/2014 10:05:41 AM",
            "user" : {
                    "userId" : 1235,
                    "userType" : "New Member",
                    "identifiers" : [
                            {
                                    "identifier" : "123456",
                                    "identifierType" : "Entity Key"
                            },
                            {
                                    "identifier" : "123456",
                                    "identifierType" : "GenKey"
                            }
                    ],
                    "createdOnDate" : "2014-04-02T14:18:49-04:00"
            },
            "devices" : [
                    {
                            "activity" : [
                                    {
                                            "d1" : "0",
                                            "d2" : "0",
                                            "c1" : "0",
                                            "s1" : "0",
                                            "day" : "4/8/2014 12:00:00 AM"
                                    },
                                    {
                                            "d1" : "0",
                                            "d2" : "0",
                                            "c1" : "0",
                                            "s1" : "0",
                                            "day" : "4/9/2014 12:00:00 AM"
                                    }
                            ],
                            "deviceId" : "1234567"
                    }
            ],
            "__v" : 0
    },

{
            "_id" : ObjectId("123456"),
            "notificationId" : 1234567,
            "notificationTime" : "4/9/2014 10:05:41 AM",
            "user" : {
                    "userId" : 1235,
                    "userType" : "New Member",
                    "identifiers" : [
                            {
                                    "identifier" : "123456",
                                    "identifierType" : "Entity Key"
                            },
                            {
                                    "identifier" : "123456",
                                    "identifierType" : "GenKey"
                            }
                    ],
                    "createdOnDate" : "2014-04-02T14:18:49-04:00"
            },
            "devices" : [
                    {
                            "activity" : [
                                    {
                                            "d1" : "0",
                                            "d2" : "0",
                                            "c1" : "0",
                                            "s1" : "0",
                                            "day" : "4/8/2014 12:00:00 AM"
                                    },
                                    {
                                            "d1" : "0",
                                            "d2" : "0",
                                            "c1" : "0",
                                            "s1" : "0",
                                            "day" : "4/9/2014 12:00:00 AM"
                                    }
                            ],
                            "deviceId" : "1234567"
                    }
            ],
            "__v" : 0
    },
0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎09-04-2014 04:43 PM

Have you tried to set the sourcetype to _json ? (this sourcetype definition ships with Splunk)

0 Karma
Reply

jedatt01
Builder
‎09-05-2014 06:35 AM

Yes, but it did not work. Looks like this is not 100% correct json and the kv_mode=json won't recognize it. I'm working with the data provider to see if they can correct the issue

0 Karma
Reply

Sanjai676
Path Finder
‎05-25-2016 01:43 AM

I'm experiencing same issue. Have you got any results?

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎09-04-2014 03:17 PM

I'm no json expert. Normally for json in splunk you want to arrange for your events to be valid complete json items, whether that's a the entirety of the original json document, or a subcomponent.

This typically is more of a question of "how can I get splunk to keep this component of my json blob as an event", where linebreaking is how to identify a unit of information in a file. Typically linebreaking just identifies lines, and event merging combines them to form events. There are times where "abusing" linebreaking to make each line an event may be easier to configure though.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
Top