Getting Data In

I have python script with correct output in JSON format , but why 2 event with broken message?

alexeysharkov
Path Finder

Hello

I have python script just like this

 

 

 

 

#!/bin/python
import os
import json
import datetime

HOMEPATH = '/opt/monitor_dirs/SomeDir'

def path_to_dict(path, depth = 1, first = False):
    for base, dirs, files in os.walk(path):
        r = {'name': base, 'dirs': len(dirs), 'files': len(files)}
        if first:
            r['datetime'] = datetime.datetime.now().strftime("%Y-%m-%dT%H:%M:%S%z")
        if depth > 0:
            r['subdirs'] = {}
            for subdir in dirs:
                r['subdirs'][subdir] = path_to_dict(os.path.join(path, subdir), depth - 1);
        return r


#print path_to_dict(HOMEPATH, 1)
result = path_to_dict(HOMEPATH, 1, True)
if result:
    print (json.dumps(result, sort_keys=True, indent=4))

 

 

 

 

 

And i have output 

 

 

 

 

# ./file_count.py
{
    "datetime": "2023-02-22T21:10:49",
    "dirs": 9,
    "files": 0,
    "name": "/opt/monitor_dirs/SomeDir",
    "subdirs": {
        "XXXX": {
            "dirs": 0,
            "files": 63,
            "name": "/opt/monitor_dirs/XXXX"
        }
    }
}

 

 

 

 

 

 

There is some problem in Index

I have 2 event instead just only one

1. {

2.  ""datetime": "2023-02-22T21:10:49",
"dirs": 9,
"files": 0, and so on, but there is no '{'

 

How i can get only one event with my JSON

 

Labels (1)
Tags (3)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@alexeysharkov 

Can you please try updating the print statement in python code?

From:

print (json.dumps(result, sort_keys=True, indent=4))

To

print (json.loads(json.dumps(result, sort_keys=True, indent=4)))

 

if the solution doesn't work for you then please share the extraction configuration from props.conf.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

View solution in original post

Tags (1)

alexeysharkov
Path Finder

Thanks Kamlesh!

props.conf was empty 😞

And now

[mymonitorinf]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=json
KV_MODE=none
SHOULD_LINEMERGE=true
category=Structured
description=JavaScript Object Notation format. For more information, visit http://json.org/
disabled=false
pulldown_type=true

Everything OK now! Thanks

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@alexeysharkov 

Can you please try updating the print statement in python code?

From:

print (json.dumps(result, sort_keys=True, indent=4))

To

print (json.loads(json.dumps(result, sort_keys=True, indent=4)))

 

if the solution doesn't work for you then please share the extraction configuration from props.conf.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

Tags (1)
Get Updates on the Splunk Community!

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...