Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to skip reindexing events of manually edited JSON

evelenke
Contributor
‎04-10-2017 02:17 PM

Hi Splunkers,

I need to test folder monitoring inputs with source in JSON format.
Since I'm not able to test it with an application right now, I'm adding JSON events to the file manually.. After this change all previous events are getting indexed again.
What configuration will help to avoid this behavior? I've tried

followTail = 1

but this did not help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

evelenke
Contributor
‎04-11-2017 07:45 AM

So the problem was caused with square brackets [] in the beginning and the end of file.
Without these Splunk do not reindex all events included.

Thanks to everyone for assistance.

View solution in original post

Reply
Solved! Jump to solution
Solution

evelenke
Contributor
‎04-11-2017 07:45 AM

So the problem was caused with square brackets [] in the beginning and the end of file.
Without these Splunk do not reindex all events included.

Thanks to everyone for assistance.

Reply
Solved! Jump to solution

evelenke
Contributor
‎04-11-2017 03:52 PM

I'll try to continue here as my troubles didn't finish yet.

So I need to remove those square brackets and let Splunk recognize this type like a usual JSON ({.....}). I've applied transforms like this:

[jsontest_null]
REGEX = ^([|)([^]$]+)(]|$)
FORMAT = $2
DEST_KEY = _raw

But even with this the events still get reindexed with adding new records to the file.
Is there any way to escape this?
My props.conf:

LINE_BREAKER = (,)({"action")
AUTO_KV_JSON = true
SHOULD_LINEMERGE = false

Sample fake events (always separated by comma):
[{"action":{"date":"2017-03-27T07:56:14","name":"open","host":"host1","user":{"id":"27","name":"Doe, Joe","class":"5"},"obj":{"file":"3","name":"3","version":"1","size":"2963","type":"1","room":{"name":"room1","id":"room1"},"subject":"m5","fab":"a1","dir":"m5-a2"}}},{"action":{"date":"2017-03-27T07:56:15","name":"open","host":"host2","user":{"id":"27","name":"Doe, Joe","class":"6"},"obj":{"file":"3","name":"3","version":"1","size":"2433","type":"2","room":{"name":"room1","id":"room1"},"subject":"m5","fab":"a1","dir":"m5-a2"}}}]

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎04-11-2017 01:01 PM

ah nice! Glad to see you got it sorted!

- MattyMo
0 Karma
Reply
Solved! Jump to solution

evelenke
Contributor
‎04-11-2017 04:14 PM

Thanks, but I think it's kind of bug, although it may be rare output type with '[]' but it happens...
Please also check my comment below , don't know if I need to create new topic for this.

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎04-12-2017 03:38 AM

i don't believe its a bug, i thiink its more to do with how splunk reads a json array. If u are using json extractions, an array will be one event, so if you are hand changing an event, it will read all of it because it is a "new" event. at least thats what I think is happening

- MattyMo
0 Karma
Reply
Solved! Jump to solution

evelenke
Contributor
‎04-12-2017 04:58 AM

Yes, I also have similar thoughts.
Looking for a workaround, the transformation I've provided below doesn't work, unfortunately.

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎04-12-2017 06:30 AM

you just need to get the linebreaker right. regex101.com is my best friend for that.

Check out this answer to see how other users did a similar thing

https://answers.splunk.com/answers/511589/how-to-configure-line-breaking-for-my-sample-json.html#ans...

- MattyMo
0 Karma
Reply
Solved! Jump to solution

evelenke
Contributor
‎04-22-2017 06:10 AM

Thank you, that was resolved. Always use regex101 but sometimes Splunk needs something else)

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-10-2017 04:11 PM

It is the followTail = 1 that is doing it; delete this or set to 0 instead.

0 Karma
Reply
Solved! Jump to solution

evelenke
Contributor
‎04-10-2017 04:38 PM

The same, actually I've added followTail=1 with hope this will resolve it.

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎04-10-2017 04:06 PM

Can you share the entire config for this input?

./splunk btool inputs list --debug

look for the stanza for this particular input and share here!

- MattyMo
0 Karma
Reply
Solved! Jump to solution

evelenke
Contributor
‎04-10-2017 04:09 PM

sure:

[monitor://mypath*.json]
disabled = 0
host = myhost
sourcetype = my_json_test1
source = my_json_test1
index = my_json_test1

alwaysOpenFile = 1

followTail=1

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎04-10-2017 04:44 PM

windows or nix?

- MattyMo
0 Karma
Reply
Solved! Jump to solution

evelenke
Contributor
‎04-10-2017 04:53 PM

windows 10

0 Karma
Reply
Solved! Jump to solution

evelenke
Contributor
‎04-11-2017 05:27 AM

The same on Linux.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-10-2017 02:36 PM

By default, Splunk does followTail only for monitor data inputs. Does the update that you make is within first 256 characters of the file?

0 Karma
Reply
Solved! Jump to solution

evelenke
Contributor
‎04-10-2017 02:59 PM

No, it's more - each event has approx. 400 chars

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...