Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to configure props.conf to parse JSON data str...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure props.conf to parse JSON data structures?
carlskii
New Member
09-17-2014
01:19 PM
Hi,
I have the following JSON data structure which I'm trying to parse as three separate events. Can somebody please show how a should define my props.conf. This is what I currently have but its only extracting a single event.
[fruits_source]
KV_MODE = json
LINE_BREAKER = "(^){"
NO_BINARY_CHECK = 1
TRUNCATE = 0
SHOULD_LINEMERGE = false
json data.
{
"fruits": [
{
"fruit": "orange",
"location": "tray1",
"date": "6/20/2014",
"instances_1": [
{
"name": "orange",
"type": "citrus",
"shape": "round",
"status": "ok"
}
],
"instances_2": [
{
"name": "orange",
"type": "citrus",
"shape": "round",
"status": "ok"
},
{
"name": "orange",
"type": "citrus",
"shape": "round",
"status": "ok"
},
{
"name": "orange",
"type": "citrus",
"shape": "round",
"status": "ok"
}
]
},
{
"fruit": "lemon",
"location": "tray2",
"date": "6/20/2015",
"instances_1": [
{
"name": "a",
"type": "citrus",
"shape": "round",
"status": "ok"
}
],
"instances_2": [
{
"name": "a",
"type": "citrus",
"shape": "round",
"status": "ok"
},
{
"name": "b",
"type": "citrus",
"shape": "round",
"status": "ok"
},
{
"name": "c",
"type": "citrus",
"shape": "round",
"status": "ok"
}
]
},
{
"fruit": "clementine",
"location": "tray3",
"date": "6/20/2016",
"instances_1": [
{
"name": "a",
"type": "citrus",
"shape": "round",
"status": "ok"
}
],
"instances_2": [
{
"name": "a",
"type": "citrus",
"shape": "round",
"status": "ok"
},
{
"name": "b",
"type": "citrus",
"shape": "round",
"status": "ok"
},
{
"name": "c",
"type": "citrus",
"shape": "round",
"status": "ok"
}
]
}
]
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sowings
Splunk Employee
09-19-2014
03:43 PM
LINE_BREAKER has to have something to consume, and ^ is an anchor, not a character per se. Try the following instead.
LINE_BREAKER = ([<BACKSLASH>n<BACKSLASH>r]+){
Replace the <BACKSLASH> with a literal backslash character (I can't get it to display on the forum text for some reason).
This says "break on a newline followed immediately by a { character".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
carlskii
New Member
09-17-2014
01:21 PM
BTW I'm using Splunk 6.1.3
Get Updates on the Splunk Community!
Your Guide to Splunk Digital Experience Monitoring
A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...
Data Management Digest – November 2025
Welcome to the inaugural edition of Data Management Digest!
As your trusted partner in data innovation, the ...
Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA
Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...
