- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to configure props.conf to line break data...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure props.conf to line break data in json format?
I have events that are coming in 'kinda' json format. I can't get KV_MODE=json to work so I was going to try and do the line breaking and field extraction manually. 2 sample events below. Please help.
{
"_id" : ObjectId("123456"),
"notificationId" : 1234567,
"notificationTime" : "4/9/2014 10:05:41 AM",
"user" : {
"userId" : 1235,
"userType" : "New Member",
"identifiers" : [
{
"identifier" : "123456",
"identifierType" : "Entity Key"
},
{
"identifier" : "123456",
"identifierType" : "GenKey"
}
],
"createdOnDate" : "2014-04-02T14:18:49-04:00"
},
"devices" : [
{
"activity" : [
{
"d1" : "0",
"d2" : "0",
"c1" : "0",
"s1" : "0",
"day" : "4/8/2014 12:00:00 AM"
},
{
"d1" : "0",
"d2" : "0",
"c1" : "0",
"s1" : "0",
"day" : "4/9/2014 12:00:00 AM"
}
],
"deviceId" : "1234567"
}
],
"__v" : 0
},
{
"_id" : ObjectId("123456"),
"notificationId" : 1234567,
"notificationTime" : "4/9/2014 10:05:41 AM",
"user" : {
"userId" : 1235,
"userType" : "New Member",
"identifiers" : [
{
"identifier" : "123456",
"identifierType" : "Entity Key"
},
{
"identifier" : "123456",
"identifierType" : "GenKey"
}
],
"createdOnDate" : "2014-04-02T14:18:49-04:00"
},
"devices" : [
{
"activity" : [
{
"d1" : "0",
"d2" : "0",
"c1" : "0",
"s1" : "0",
"day" : "4/8/2014 12:00:00 AM"
},
{
"d1" : "0",
"d2" : "0",
"c1" : "0",
"s1" : "0",
"day" : "4/9/2014 12:00:00 AM"
}
],
"deviceId" : "1234567"
}
],
"__v" : 0
},
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried to set the sourcetype to _json ? (this sourcetype definition ships with Splunk)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, but it did not work. Looks like this is not 100% correct json and the kv_mode=json won't recognize it. I'm working with the data provider to see if they can correct the issue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm experiencing same issue. Have you got any results?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm no json expert. Normally for json in splunk you want to arrange for your events to be valid complete json items, whether that's a the entirety of the original json document, or a subcomponent.
This typically is more of a question of "how can I get splunk to keep this component of my json blob as an event", where linebreaking is how to identify a unit of information in a file. Typically linebreaking just identifies lines, and event merging combines them to form events. There are times where "abusing" linebreaking to make each line an event may be easier to configure though.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
