I have a JSON file that is formatted like this
{
"meta": {
"serverTime": 1692112678688.699,
"agentsReady": true,
"status": "success",
"token": "ABCDEFG",
"user": {
"userName": "username",
"role": "ADMIN"
}
},
"vulnerabilities": [
{
"id": "pcysys_linux_0.10000000",
"creation_time": 1690581702599.0,
"name": "name",
"summary": "summary",
"found_on": "Host: 10.10.10.10",
"target": "Host",
"target_id": "abcdefg",
"port": 445,
"protocol": "abc",
"severity": 3.5,
"priority": null,
"insight": "this is the insight",
"remediation": "this is the remediation"
},
{
"id": "pcysys_linux_0.10000000",
"creation_time": 1690581702599.0,
"name": "name",
"summary": "summary",
"found_on": "Host: 10.10.10.10",
"target": "Host",
"target_id": "abcdefg",
"port": 445,
"protocol": "abc",
"severity": 3.5,
"priority": null,
"insight": "this is the insight",
"remediation": "this is the remediation"
}
]
}
I am trying to ingest just the vulnerabilities. It works when I try it in Splunk UI but when I save it in my props.conf file it doesn't split it correctly and the id from one section gets appended to the end of the previous one.
Here is what I am trying.
[sourcetype]
LINE_BREAKER = }(,[\r\n]+)
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = 1