Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

JSON array not onbaording as expected

harryvdtol
Path Finder
‎02-25-2025 06:13 AM

Hello,

I am having trouble onboaring json array data.
I read many contributions , but i still having troubles

This is the json array input

[{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2KX-2025 2025-10-14 23:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}]


- My first attempt: i put a props.conf on the UF

DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
INDEXED_EXTRACTIONS=json
KV_MODE=none
AUTO_KV_JSON = false
category=Structured


The data was nicely split into separte json events, but the table command doubled the data.
Like this issues
https://community.splunk.com/t5/Splunk-Cloud-Platform/Why-does-json-data-get-duplicated-after-tablin...
https://community.splunk.com/t5/Getting-Data-In/Why-is-my-sourcetype-configuration-for-JSON-events-w...

doubble.jpg


- Then i moved the props.conf into the index-cluster
Now the _raw event is the same as the input array, and not splitted ito separated json events, like this

not_extracted_2.jpg

not_extracted.jpg



I have to use spath commad during search as workaround.


So I can workaround the issue, but I 'd rather import the data correctly

Where do i go wrong? 


Any help is appreciated.

Reagrds,

Harry

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎02-25-2025 06:29 AM

Hi @harryvdtol 

Ive just tried that sample data and props config locally and it seems to work.

Please can you confirm the stanza name (the text between the [ and ]) in the props.conf and the sourcetype that this is indexed into Splunk as? These should match but want to double check as it looks like it hasnt applied the props.conf

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma
Reply

harryvdtol
Path Finder
‎02-25-2025 08:07 AM

Hi WIl,

For the confirmation

On UF

- inputs.conf
[monitor://C:\beheer\SCCM\abc*.txt]
index=main
sourcetype=Windows:SCCM:KBNummers


ON Index-cluster
- props.conf
[Windows:SCCM:KBNummers]
DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
INDEXED_EXTRACTIONS=json
KV_MODE=none
AUTO_KV_JSON = false
category=Structured


- Input file

[{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2K5 4020-30-30 31:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}]

not_extracted_3.jpg


Reagrds,

Harry

0 Karma
Reply

harryvdtol
Path Finder
‎03-03-2025 10:02 PM

Hello,

I decided to let go on JSON file
In stead i receive a simple txt file now, whcih works better


Thank you for you help.

Harry

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...
Top