How to edit my props.conf configuration to extract...

dhavamanis · ‎06-15-2016

Can you please tell us how to extract an individual events from json array during the indexing,

Sample input:

{
  "Value": [
    {
      "date": "2016-06-10",
      "applicationId": "app1",
      "applicationName": "T NOW",
      "deviceType": "PC",
      "orderName": "",
      "storeClient": "Windows Store (client)",
      "osVersion": "Windows 10",
      "market": "US",
      "gender": "Unknown",
      "ageGroup": "35-49",
      "acquisitionType": "Free",
      "acquisitionQuantity": 1
    },
    {
      "date": "2016-06-09",
      "applicationId": "app1",
      "applicationName": "T NOW",
      "deviceType": "PC",
      "orderName": "",
      "storeClient": "Store (client)",
      "osVersion": "Windows 8.1",
      "market": "US",
      "gender": "Unknown",
      "ageGroup": "Unknown",
      "acquisitionType": "Free",
      "acquisitionQuantity": 5
    }]
}

We have tried source settings like below in props.conf and seems it is not splitting the events correctly. Can you please provide the correct properties to break events for each values in the json array and assign the date field value as the event's timestamp?

[mobile_win_json]
INDEXED_EXTRACTIONS = json
KV_MODE = json
NO_BINARY_CHECK = true
BREAK_ONLY_BEFORE = ^{
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = date
TIME_FORMAT = %Y-%m-%d
TRUNCATE = 0
category = Custom
description = json filed extraction from array of value
disabled = false
pulldown_type = true

ryanoconnor · ‎06-20-2016

The following line can be removed since "SHOULD_LINEMERGE" is set to false.

BREAK_ONLY_BEFORE = ^{
1. Can you post a sample JSON event that you're seeing in Splunk? This appears to be valid JSON so it should be extracting.

How to edit my props.conf configuration to extract individual events from a JSON array?

Routing logs with Splunk OTel Collector for Kubernetes

New This Month - Observability Updates Give Extended Visibility and Improve User ...

Intro to Splunk Synthetic Monitoring