Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

JSON array not onbaording as expected

harryvdtol
Path Finder
‎02-25-2025 06:13 AM

Hello,

I am having trouble onboaring json array data.
I read many contributions , but i still having troubles

This is the json array input

[{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2KX-2025 2025-10-14 23:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}]


- My first attempt: i put a props.conf on the UF

DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
INDEXED_EXTRACTIONS=json
KV_MODE=none
AUTO_KV_JSON = false
category=Structured


The data was nicely split into separte json events, but the table command doubled the data.
Like this issues
https://community.splunk.com/t5/Splunk-Cloud-Platform/Why-does-json-data-get-duplicated-after-tablin...
https://community.splunk.com/t5/Getting-Data-In/Why-is-my-sourcetype-configuration-for-JSON-events-w...

doubble.jpg


- Then i moved the props.conf into the index-cluster
Now the _raw event is the same as the input array, and not splitted ito separated json events, like this

not_extracted_2.jpg

not_extracted.jpg



I have to use spath commad during search as workaround.


So I can workaround the issue, but I 'd rather import the data correctly

Where do i go wrong? 


Any help is appreciated.

Reagrds,

Harry

Labels (1)
Labels
0 Karma
Reply

livehybrid
Super Champion
‎02-25-2025 06:29 AM

Hi @harryvdtol 

Ive just tried that sample data and props config locally and it seems to work.

Please can you confirm the stanza name (the text between the [ and ]) in the props.conf and the sourcetype that this is indexed into Splunk as? These should match but want to double check as it looks like it hasnt applied the props.conf

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma
Reply

harryvdtol
Path Finder
‎02-25-2025 08:07 AM

Hi WIl,

For the confirmation

On UF

- inputs.conf
[monitor://C:\beheer\SCCM\abc*.txt]
index=main
sourcetype=Windows:SCCM:KBNummers


ON Index-cluster
- props.conf
[Windows:SCCM:KBNummers]
DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
INDEXED_EXTRACTIONS=json
KV_MODE=none
AUTO_KV_JSON = false
category=Structured


- Input file

[{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2K5 4020-30-30 31:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}]

not_extracted_3.jpg


Reagrds,

Harry

0 Karma
Reply

harryvdtol
Path Finder
‎03-03-2025 10:02 PM

Hello,

I decided to let go on JSON file
In stead i receive a simple txt file now, whcih works better


Thank you for you help.

Harry

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top