Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

How to configure props.conf to parse JSON data structures?

carlskii
New Member
โ€Ž09-17-2014 01:19 PM

Hi,

I have the following JSON data structure which I'm trying to parse as three separate events. Can somebody please show how a should define my props.conf. This is what I currently have but its only extracting a single event. 

[fruits_source]
KV_MODE = json
LINE_BREAKER = "(^){"
NO_BINARY_CHECK = 1
TRUNCATE = 0
SHOULD_LINEMERGE = false

json data.

{
    "fruits": [
        {
            "fruit": "orange",
            "location": "tray1",
            "date": "6/20/2014",
            "instances_1": [
                {
                    "name": "orange",
                    "type": "citrus",
                    "shape": "round",
                    "status": "ok"
                }
            ],
            "instances_2": [
                {
                    "name": "orange",
                    "type": "citrus",
                    "shape": "round",
                    "status": "ok"
                },
                {
                    "name": "orange",
                    "type": "citrus",
                    "shape": "round",
                    "status": "ok"
                },
                {
                    "name": "orange",
                    "type": "citrus",
                    "shape": "round",
                    "status": "ok"
                }
            ]
        },
        {
            "fruit": "lemon",
            "location": "tray2",
            "date": "6/20/2015",
            "instances_1": [
                {
                    "name": "a",
                    "type": "citrus",
                    "shape": "round",
                    "status": "ok"
                }
            ],
            "instances_2": [
                {
                    "name": "a",
                    "type": "citrus",
                    "shape": "round",
                    "status": "ok"
                },
                {
                    "name": "b",
                    "type": "citrus",
                    "shape": "round",
                    "status": "ok"
                },
                {
                    "name": "c",
                    "type": "citrus",
                    "shape": "round",
                    "status": "ok"
                }
            ]
        },
        {
            "fruit": "clementine",
            "location": "tray3",
            "date": "6/20/2016",
            "instances_1": [
                {
                    "name": "a",
                    "type": "citrus",
                    "shape": "round",
                    "status": "ok"
                }
            ],
            "instances_2": [
                {
                    "name": "a",
                    "type": "citrus",
                    "shape": "round",
                    "status": "ok"
                },
                {
                    "name": "b",
                    "type": "citrus",
                    "shape": "round",
                    "status": "ok"
                },
                {
                    "name": "c",
                    "type": "citrus",
                    "shape": "round",
                    "status": "ok"
                }
            ]
        }
    ]
}
0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
โ€Ž09-19-2014 03:43 PM

LINE_BREAKER has to have something to consume, and ^ is an anchor, not a character per se. Try the following instead.


LINE_BREAKER = ([<BACKSLASH>n<BACKSLASH>r]+){

Replace the <BACKSLASH> with a literal backslash character (I can't get it to display on the forum text for some reason).

This says "break on a newline followed immediately by a { character".

0 Karma
Reply

carlskii
New Member
โ€Ž09-17-2014 01:21 PM

BTW I'm using Splunk 6.1.3

0 Karma
Reply