Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to split JSON array element into different events using props.conf

shanksholla
Explorer
‎08-25-2015 05:34 AM

Hi

I have a JSON message which looks like-

{
    "data": [
        {
            "id": "X999_Y999",
            "from": {
                "name": "Tom Brady",
                "id": "X12"
            },
            "message": "Looking forward to 2010!",
            "actions": [
                {
                    "name": "Comment",
                    "link": "http://www.facebook.com/X999/posts/Y999"
                },
                {
                    "name": "Like",
                    "link": "http://www.facebook.com/X999/posts/Y999"
                }
            ],
            "type": "status",
            "created_time": "2010-08-02T21:27:44+0000",
            "updated_time": "2010-08-02T21:27:44+0000"
        },
        {
            "id": "X998_Y998",
            "from": {
                "name": "Peyton Manning",
                "id": "X18"
            },
            "message": "Where's my contract?",
            "actions": [
                {
                    "name": "Comment",
                    "link": "http://www.facebook.com/X998/posts/Y998"
                },
                {
                    "name": "Like",
                    "link": "http://www.facebook.com/X998/posts/Y998"
                }
            ],
            "type": "status",
            "created_time": "2010-08-02T21:27:44+0000",
            "updated_time": "2010-08-02T21:27:44+0000"
        }
    ]
}

Now, I would want to split this JSON array into different events. In this message, data from-
{
"id": "",
onwards would constitute different messages.

I have tried the following in props.conf, but all the data are shows up as single event.

[ json_split ]
TIME_FORMAT=%Y-%m-%dT%H:%M:%S+%4N
TIME_PREFIX="updated_time":\s"
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=(\{\s+"id")
NO_BINARY_CHECK=true

Can you please tell how to split this JSON array into different events.

0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎08-25-2015 05:50 AM

For your sample data, I changed 

BREAK_ONLY_BEFORE="id":\s".*?",

and it worked - its not very robust however - if you ever have a field that comes after "id" in the "from" node, it will break.

0 Karma
Reply

shanksholla
Explorer
‎08-26-2015 02:18 AM

Thanks for your reply!
But with this, the leading curly braces (prior to "id") is left in previous event.
Also with this, it wouldn't be possible to parse the data in events into key value pairs using INDEXED_EXTRACTIONS or KV_MODE.
Please correct me if I'm wrong

0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎08-27-2015 12:14 AM

Hmm. I see what your saying. I'm guessing it would be easier to either use LINE_BREAKER and turn SHOULD_LINEMERGE to false. I'll give it another go and see if I can come up with a better solution.

Could you maybe parse the events before indexing - it might be easier 🙂 ?

0 Karma
Reply

shanksholla
Explorer
‎08-27-2015 04:33 AM

Can you please tell me how to parse before indexing. Is it using transforms.conf?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...