Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

JSON array not onbaording as expected

harryvdtol
Explorer
‎02-25-2025 06:13 AM

Hello,

I am having trouble onboaring json array data.
I read many contributions , but i still having troubles

This is the json array input

[{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2KX-2025 2025-10-14 23:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}]


- My first attempt: i put a props.conf on the UF

DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
INDEXED_EXTRACTIONS=json
KV_MODE=none
AUTO_KV_JSON = false
category=Structured


The data was nicely split into separte json events, but the table command doubled the data.
Like this issues
https://community.splunk.com/t5/Splunk-Cloud-Platform/Why-does-json-data-get-duplicated-after-tablin...
https://community.splunk.com/t5/Getting-Data-In/Why-is-my-sourcetype-configuration-for-JSON-events-w...

doubble.jpg


- Then i moved the props.conf into the index-cluster
Now the _raw event is the same as the input array, and not splitted ito separated json events, like this

not_extracted_2.jpg

not_extracted.jpg



I have to use spath commad during search as workaround.


So I can workaround the issue, but I 'd rather import the data correctly

Where do i go wrong? 


Any help is appreciated.

Reagrds,

Harry

Labels (1)
Labels
0 Karma
Reply

livehybrid
Super Champion
‎02-25-2025 06:29 AM

Hi @harryvdtol 

Ive just tried that sample data and props config locally and it seems to work.

Please can you confirm the stanza name (the text between the [ and ]) in the props.conf and the sourcetype that this is indexed into Splunk as? These should match but want to double check as it looks like it hasnt applied the props.conf

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma
Reply

harryvdtol
Explorer
‎02-25-2025 08:07 AM

Hi WIl,

For the confirmation

On UF

- inputs.conf
[monitor://C:\beheer\SCCM\abc*.txt]
index=main
sourcetype=Windows:SCCM:KBNummers


ON Index-cluster
- props.conf
[Windows:SCCM:KBNummers]
DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
INDEXED_EXTRACTIONS=json
KV_MODE=none
AUTO_KV_JSON = false
category=Structured


- Input file

[{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2K5 4020-30-30 31:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}]

not_extracted_3.jpg


Reagrds,

Harry

0 Karma
Reply

harryvdtol
Explorer
‎03-03-2025 10:02 PM

Hello,

I decided to let go on JSON file
In stead i receive a simple txt file now, whcih works better


Thank you for you help.

Harry

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top