Solved: Issue with a log JSON

rafamss · ‎02-11-2014

Hi guys,

I'm having a issues with a log data file in the following format (JSON):

{"widget": { "debug": "on", "window": { "title": "Sample Konfabulator Widget", "name": "main_window", "width": 500, "height": 500 }, "image": { "src": "Images/Sun.png", "name": "sun1", "hOffset": 250, "vOffset": 250, "alignment": "center" }, "text": { "data": "Click Here", "size": 36, "style": "bold", "name": "text1", "hOffset": 250, "vOffset": 100, "alignment": "center", "onMouseUp": "sun1.opacity = (sun1.opacity / 100) * 90;" } }} {"widget": { "debug": "on", "window": { "title": "Sample Konfabulator Widget", "name": "main_window", "width": 500, "height": 500 }, "image": { "src": "Images/Sun.png", "name": "sun1", "hOffset": 250, "vOffset": 250, "alignment": "center" }, "text": { "data": "Click Here", "size": 36, "style": "bold", "name": "text1", "hOffset": 250, "vOffset": 700, "alignment": "center", "onMouseUp": "sun1.opacity = (sun1.opacity / 100) * 90;" } }} {"widget": { "debug": "on", "window": { "title": "Sample Konfabulator Widget", "name": "main_window", "width": 500, "height": 500 }, "image": { "src": "Images/Sun.png", "name": "sun1", "hOffset": 240, "vOffset": 250, "alignment": "center" }, "text": { "data": "Click Here", "size": 36, "style": "bold", "name": "text1", "hOffset": 250, "vOffset": 100, "alignment": "center", "onMouseUp": "sun1.opacity = (sun1.opacity / 100) * 90;" } }} {"widget": { "debug": "on", "window": { "title": "Sample Konfabulator Widget", "name": "main_window", "width": 600, "height": 500 }, "image": { "src": "Images/Sun.png", "name": "sun1", "hOffset": 950, "vOffset": 250, "alignment": "center" }, "text": { "data": "Click Here", "size": 36, "style": "bold", "name": "text1", "hOffset": 250, "vOffset": 190, "alignment": "center", "onMouseUp": "sun1.opacity = (sun1.opacity / 100) * 90;" } }}

The Splunk only recognizes the file as a unique line. What do I do ?

Rafael Martins

rafamss · ‎02-11-2014

Hi somesoni2, Your example worked fine. Thanks!

View solution in original post

rafamss · ‎02-11-2014

Hi somesoni2, Your example worked fine. Thanks!

rafamss · ‎02-11-2014

Hi somesoni2, Your example worked fine. Thanks!

somesoni2 · ‎02-11-2014

Since your data don't have timestamp (for each event), SPlunk is considering whole file content as one event. When seeing the preview of the log file during import, click on 'adjust timestamp and event break settings' link (in top section). Then in 'Event breaks' tab, select option "specify patter..." and provide this value {"widget" . Click on apply and continue with other things that your were doing so far.

rafamss · ‎02-11-2014

I created a new source type and inserted the data log file into directory that was already previously configured. I consider this is the simplest way to do this.

somesoni2 · ‎02-11-2014

did you configure the event breaking or your just went ahead with default values?

rafamss · ‎02-11-2014

I created through Splunk Web.

somesoni2 · ‎02-11-2014

You've create data input from Splunk Web or directly from props.conf?

Issue with a log JSON

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...