JSON Data extraction issues with Comma

kumva01 · ‎10-28-2024

Hi Team,

We are trying to extract JSON data with custom sourcetype and With the current configuration, all JSON objects are being combined into a single event in Splunk. Ideally, each JSON object should be recognized as a separate event, but the configuration is not breaking them apart as expected

I observed that each JSON object has a comma after the closing brace }, which appears to be causing the issue by preventing Splunk from treating each JSON object as a separate event.

sample data :

{ 

  "timestamp":"1727962122",

  "phonenumber": "0000000"

  "appname": "cisco"

},

{ 

  "timestamp":"1727962123",

  "phonenumber": "0000000"

  "appname": "windows"

},

Error message : Error message : JSON StreamID:0 had parsing error: Unexpected character while looking for value comma ','

Thanks in advance

tej57 · ‎06-18-2025

Hello @kumva01,

Can you explain more about what is the source and how are you trying to ingest the data? What will be the data flow? Just the props configuration will not be able to help you with breaking the events and maintaining the JSON format for further field extractions.

Thanks,
Tejas.

JSON Data extraction issues with Comma

JSON

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Join the Conversation

JSON Data extraction issues with Comma

JSON

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+