Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

JSON array not onbaording as expected

harryvdtol
Path Finder
‎02-25-2025 06:13 AM

Hello,

I am having trouble onboaring json array data.
I read many contributions , but i still having troubles

This is the json array input

[{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2KX-2025 2025-10-14 23:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}]


- My first attempt: i put a props.conf on the UF

DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
INDEXED_EXTRACTIONS=json
KV_MODE=none
AUTO_KV_JSON = false
category=Structured


The data was nicely split into separte json events, but the table command doubled the data.
Like this issues
https://community.splunk.com/t5/Splunk-Cloud-Platform/Why-does-json-data-get-duplicated-after-tablin...
https://community.splunk.com/t5/Getting-Data-In/Why-is-my-sourcetype-configuration-for-JSON-events-w...

doubble.jpg


- Then i moved the props.conf into the index-cluster
Now the _raw event is the same as the input array, and not splitted ito separated json events, like this

not_extracted_2.jpg

not_extracted.jpg



I have to use spath commad during search as workaround.


So I can workaround the issue, but I 'd rather import the data correctly

Where do i go wrong? 


Any help is appreciated.

Reagrds,

Harry

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎02-25-2025 06:29 AM

Hi @harryvdtol 

Ive just tried that sample data and props config locally and it seems to work.

Please can you confirm the stanza name (the text between the [ and ]) in the props.conf and the sourcetype that this is indexed into Splunk as? These should match but want to double check as it looks like it hasnt applied the props.conf

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma
Reply

harryvdtol
Path Finder
‎02-25-2025 08:07 AM

Hi WIl,

For the confirmation

On UF

- inputs.conf
[monitor://C:\beheer\SCCM\abc*.txt]
index=main
sourcetype=Windows:SCCM:KBNummers


ON Index-cluster
- props.conf
[Windows:SCCM:KBNummers]
DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
INDEXED_EXTRACTIONS=json
KV_MODE=none
AUTO_KV_JSON = false
category=Structured


- Input file

[{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2K5 4020-30-30 31:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}]

not_extracted_3.jpg


Reagrds,

Harry

0 Karma
Reply

harryvdtol
Path Finder
‎03-03-2025 10:02 PM

Hello,

I decided to let go on JSON file
In stead i receive a simple txt file now, whcih works better


Thank you for you help.

Harry

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...