JSON Data extraction issues with Comma

kumva01 · ‎10-28-2024

Hi Team,

We are trying to extract JSON data with custom sourcetype and With the current configuration, all JSON objects are being combined into a single event in Splunk. Ideally, each JSON object should be recognized as a separate event, but the configuration is not breaking them apart as expected

I observed that each JSON object has a comma after the closing brace }, which appears to be causing the issue by preventing Splunk from treating each JSON object as a separate event.

sample data :

{ 

  "timestamp":"1727962122",

  "phonenumber": "0000000"

  "appname": "cisco"

},

{ 

  "timestamp":"1727962123",

  "phonenumber": "0000000"

  "appname": "windows"

},

Error message : Error message : JSON StreamID:0 had parsing error: Unexpected character while looking for value comma ','

Thanks in advance

tej57 · ‎06-18-2025

Hello @kumva01,

Can you explain more about what is the source and how are you trying to ingest the data? What will be the data flow? Just the props configuration will not be able to help you with breaking the events and maintaining the JSON format for further field extractions.

Thanks,
Tejas.

JSON Data extraction issues with Comma

JSON

Full-Stack Security in Financial Services: AppDynamics, Cisco Secure Application, and ...

It's Customer Success Time at .conf25

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Are you a member of the Splunk Community?

JSON Data extraction issues with Comma

JSON

Full-Stack Security in Financial Services: AppDynamics, Cisco Secure Application, and ...

It's Customer Success Time at .conf25

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust