Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to split the following JSON into different events?

ranjitbrhm1
Communicator
‎04-18-2018 11:48 AM

Hello All,
Im a newbie to JSON and have pretty much no knowledge in programming. Can someone please assist in splitting the following json into diffrent events (split events). I have removed some details from JSON in compliance with the community rules, and rest of it is pretty much just dummy data.

{  
   "STATUS":"OK",
   "todo-items":[  
      {  
         "id":17223591,
         "canComplete":true,
         "comments-count":0,
         "description":"",
         "has-reminders":false,
         "has-unread-comments":false,
         "private":2,
         "content":"Map Indexed Data of Windows Servers to Windows Infrastructure  App",
         "order":2000,
         "project-id":353705,
         "project-name":"IT18-03-IT Dashboarding System",
         "todo-list-id":1533948,
         "todo-list-name":"Phase Two",
         "tasklist-private":true,
         "tasklist-isTemplate":false,
         "status":"new",
         "company-name":"TECIT",
         "company-id":103131,
         "creator-id":316954,
         "creator-firstname":"3333",
         "creator-lastname":"33333",
         "completed":false,
         "start-date":"20180325",
         "due-date-base":"20180415",
         "due-date":"20180415",
         "created-on":"2018-02-21T05:53:40Z",
         "last-changed-on":"2018-03-29T11:41:56Z",
         "position":2000,
         "estimated-minutes":0,
         "priority":"",
         "progress":0,
         "harvest-enabled":false,
         "parentTaskId":"17223590",
         "lockdownId":"806894",
         "tasklist-lockdownId":"806894",
         "has-dependencies":2,
         "has-predecessors":0,
         "hasTickets":false,
         "timeIsLogged":"0",
         "attachments-count":0,
         "responsible-party-ids":"317122,316954",
         "responsible-party-id":"317122,316954",
         "responsible-party-names":"Projects T.|3333.",
         "responsible-party-type":"Person",
         "responsible-party-firstname":"33333",
         "responsible-party-lastname":"3333",
         "responsible-party-summary":"You + 1 other",
         "predecessors":[  

         ],
         "parent-task":{  
            "content":"Customization - Infrastructure Log Monitoring / HW",
            "id":"17223590"
         },
         "canEdit":true,
         "viewEstimatedTime":true,
         "canLogTime":false,
         "userFollowingComments":false,
         "userFollowingChanges":false,
         "DLM":0
      },
      {  
         "id":17223405,
         "canComplete":false,
         "comments-count":1,
         "description":"",
         "has-reminders":false,
         "has-unread-comments":false,
         "private":2,
         "content":"fdfdfdfdfdfd",
         "order":2000,
         "project-id":353705,
         "project-name":"asdf",
         "todo-list-id":1533948,
         "todo-list-name":"Phase Two",
         "tasklist-private":true,
         "tasklist-isTemplate":false,
         "status":"new",
         "company-name":"asdasd",
         "company-id":103131,
         "creator-id":316954,
         "creator-firstname":"3333",
         "creator-lastname":"333333",
         "completed":false,
         "start-date":"20180227",
         "due-date-base":"20180408",
         "due-date":"20180408",
         "created-on":"2018-02-21T04:42:49Z",
         "last-changed-on":"2018-03-29T10:34:36Z",
         "position":2000,
         "estimated-minutes":0,
         "priority":"",
         "progress":0,
         "harvest-enabled":false,
         "parentTaskId":"17223403",
         "lockdownId":"806894",
         "tasklist-lockdownId":"806894",
         "has-dependencies":2,
         "has-predecessors":0,
         "hasTickets":false,
         "timeIsLogged":"0",
         "attachments-count":0,
         "responsible-party-ids":"221525",
         "responsible-party-id":"221525",
         "responsible-party-names":"3333A.",
         "responsible-party-type":"Person",
         "responsible-party-firstname":"3333",
         "responsible-party-lastname":"Al33i",
         "responsible-party-summary":"3333A.",
         "predecessors":[  

         ],
         "parent-task":{  
            "content":"Work Package 3",
            "id":"17223403"
         },
         "canEdit":false,
         "viewEstimatedTime":true,
         "canLogTime":false,
         "commentFollowerSummary":"You + 2 others",
         "commentFollowerIds":"221525,316954,317122",
         "userFollowingComments":true,
         "userFollowingChanges":false,
         "DLM":0
      },
0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎04-18-2018 12:34 PM

Is this just a file on disk, or is it coming from some code somewhere? If so, a few things will need to happen:

1) Strip out the header
2) Define a line breaker
3) Strip out the footer (closing square bracket and curly brace)

This props.conf may work (it is hard to tell without a complete sample):

[myJSON]
SEDCMD-remove_header = s/^(?:.*\n){1,3}//g
SEDCMD-remove_footer = s/\][\r\n]\s*\}.*$//g
LINE_BREAKER = \}(\s*,[\r\n]\s*)\{

It is a best practice to have some time formatting in your props.conf also, but I don't see anything that looks like a timestamp.

0 Karma
Reply

ranjitbrhm1
Communicator
‎04-18-2018 12:48 PM

Thanks for the answer. I am pulling down the json using a curl script and put a continuous monitor in place for this to be injested on to the splunk instance.

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎04-18-2018 01:12 PM

In that case, I would recommend using the Splunk Add-on Builder which can automate this for you (and break the events without all that regex mentioned above). Here is a walkthrough -> http://dev.splunk.com/view/addon-builder/SP-CAAAFCA

0 Karma
Reply

nkaplan_splunk
Splunk Employee
Splunk Employee
‎02-19-2020 12:31 PM

The updated location of the Splunk Add-on Builder documentation is https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/UseTheApp

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...