Getting Data In
Highlighted

How to parse a JSON array delimited by "," into separate events with their unique timestamps?

Contributor

Sample single event:

[{"a":"057.00E09037A","b":"cdw","c":"1.2.7.7","d":"192.168.1.0","date":"2015-12-14T23:25:24.539Z"}, {"a":"057.00E09037A","b":"cdw","c":"1.2.7.7","d":"192.168.1.0","date":"2015-12-14T23:25:24.542Z"},
{"a":"057.00E09037A","b":"cdw","c":"1.2.7.7","d":"192.168.1.0","date":"2015-12-14T23:25:24.545Z"}]

Please note the above event is an array with elements as JSON's with different timestamps.

Is there an efficient configuration for props.conf to parse the above into 3 different events with their unique timestamps?

0 Karma
Highlighted

Re: How to parse a JSON array delimited by "," into separate events with their unique timestamps?

Splunk Employee
Splunk Employee

This will already result in three indexed events with the standard "_json" sourcetype. You can just copy those settings and create your own sourcetype.

View solution in original post

Highlighted

Re: How to parse a JSON array delimited by "," into separate events with their unique timestamps?

Contributor

This is my props.conf for the JSON

LINEBREAKER = (\x04)
NO
BINARYCHECK = 0
SHOULD
LINEMERGE = false
pulldowntype = 1
TIME
PREFIX=\,\"date\":\"
TIMEFORMAT=%Y-%m-%dT%H:%M:%S.%3N%Z
TZ=UTC
MAX
TIMESTAMPLOOKAHEAD=300
INDEXED
EXTRACTIONS = JSON

But still its taking the array of JSON's as one event

0 Karma
Highlighted

Re: How to parse a JSON array delimited by "," into separate events with their unique timestamps?

Splunk Employee
Splunk Employee

Your JSON data has standard xsd:dateTime timestamps, which Splunk will recognize automatically; and you only have one timestamp in there. So I would just get rid of TIMEPREFIX, TIMEFORMAT and TZ.
I would also remove the LINE_BREAKER and let Splunk figure that out based on the JSON structure we understand.

Note that INDEXED_EXTRACTIONS needs to be configured on the source system, where the logs are picked up (a Universal Forwarder, in most cases).

0 Karma
Highlighted

Re: How to parse a JSON array delimited by "," into separate events with their unique timestamps?

Contributor

thanks for the update. I used the above props.conf without the line breaker and it worked well. Thanks again for your help.

0 Karma