Solved: Issue with a log JSON

rafamss · ‎02-11-2014

Hi guys,

I'm having a issues with a log data file in the following format (JSON):

{"widget": { "debug": "on", "window": { "title": "Sample Konfabulator Widget", "name": "main_window", "width": 500, "height": 500 }, "image": { "src": "Images/Sun.png", "name": "sun1", "hOffset": 250, "vOffset": 250, "alignment": "center" }, "text": { "data": "Click Here", "size": 36, "style": "bold", "name": "text1", "hOffset": 250, "vOffset": 100, "alignment": "center", "onMouseUp": "sun1.opacity = (sun1.opacity / 100) * 90;" } }} {"widget": { "debug": "on", "window": { "title": "Sample Konfabulator Widget", "name": "main_window", "width": 500, "height": 500 }, "image": { "src": "Images/Sun.png", "name": "sun1", "hOffset": 250, "vOffset": 250, "alignment": "center" }, "text": { "data": "Click Here", "size": 36, "style": "bold", "name": "text1", "hOffset": 250, "vOffset": 700, "alignment": "center", "onMouseUp": "sun1.opacity = (sun1.opacity / 100) * 90;" } }} {"widget": { "debug": "on", "window": { "title": "Sample Konfabulator Widget", "name": "main_window", "width": 500, "height": 500 }, "image": { "src": "Images/Sun.png", "name": "sun1", "hOffset": 240, "vOffset": 250, "alignment": "center" }, "text": { "data": "Click Here", "size": 36, "style": "bold", "name": "text1", "hOffset": 250, "vOffset": 100, "alignment": "center", "onMouseUp": "sun1.opacity = (sun1.opacity / 100) * 90;" } }} {"widget": { "debug": "on", "window": { "title": "Sample Konfabulator Widget", "name": "main_window", "width": 600, "height": 500 }, "image": { "src": "Images/Sun.png", "name": "sun1", "hOffset": 950, "vOffset": 250, "alignment": "center" }, "text": { "data": "Click Here", "size": 36, "style": "bold", "name": "text1", "hOffset": 250, "vOffset": 190, "alignment": "center", "onMouseUp": "sun1.opacity = (sun1.opacity / 100) * 90;" } }}

The Splunk only recognizes the file as a unique line. What do I do ?

Rafael Martins

rafamss · ‎02-11-2014

Hi somesoni2, Your example worked fine. Thanks!

View solution in original post

rafamss · ‎02-11-2014

Hi somesoni2, Your example worked fine. Thanks!

rafamss · ‎02-11-2014

Hi somesoni2, Your example worked fine. Thanks!

somesoni2 · ‎02-11-2014

Since your data don't have timestamp (for each event), SPlunk is considering whole file content as one event. When seeing the preview of the log file during import, click on 'adjust timestamp and event break settings' link (in top section). Then in 'Event breaks' tab, select option "specify patter..." and provide this value {"widget" . Click on apply and continue with other things that your were doing so far.

rafamss · ‎02-11-2014

I created a new source type and inserted the data log file into directory that was already previously configured. I consider this is the simplest way to do this.

somesoni2 · ‎02-11-2014

did you configure the event breaking or your just went ahead with default values?

rafamss · ‎02-11-2014

I created through Splunk Web.

somesoni2 · ‎02-11-2014

You've create data input from Splunk Web or directly from props.conf?

Issue with a log JSON

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation

Issue with a log JSON

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026