Re: JSON array not onbaording as expected

harryvdtol · ‎02-25-2025

Hello,

I am having trouble onboaring json array data.
I read many contributions , but i still having troubles

This is the json array input

[{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2KX-2025 2025-10-14 23:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}]

- My first attempt: i put a props.conf on the UF

DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
INDEXED_EXTRACTIONS=json
KV_MODE=none
AUTO_KV_JSON = false
category=Structured

The data was nicely split into separte json events, but the table command doubled the data.
Like this issues
https://community.splunk.com/t5/Splunk-Cloud-Platform/Why-does-json-data-get-duplicated-after-tablin...
https://community.splunk.com/t5/Getting-Data-In/Why-is-my-sourcetype-configuration-for-JSON-events-w...

- Then i moved the props.conf into the index-cluster
Now the _raw event is the same as the input array, and not splitted ito separated json events, like this

I have to use spath commad during search as workaround.

So I can workaround the issue, but I 'd rather import the data correctly

Where do i go wrong?

Any help is appreciated.

Reagrds,

Harry

livehybrid · ‎02-25-2025

Hi @harryvdtol

Ive just tried that sample data and props config locally and it seems to work.

Please can you confirm the stanza name (the text between the [ and ]) in the props.conf and the sourcetype that this is indexed into Splunk as? These should match but want to double check as it looks like it hasnt applied the props.conf

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

harryvdtol · ‎02-25-2025

Hi WIl,

For the confirmation

On UF

- inputs.conf
[monitor://C:\beheer\SCCM\abc*.txt]
index=main
sourcetype=Windows:SCCM:KBNummers

ON Index-cluster
- props.conf
[Windows:SCCM:KBNummers]
DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
INDEXED_EXTRACTIONS=json
KV_MODE=none
AUTO_KV_JSON = false
category=Structured

- Input file

[{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2K5 4020-30-30 31:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}]

Reagrds,

Harry

harryvdtol · ‎03-03-2025

Hello,

I decided to let go on JSON file
In stead i receive a simple txt file now, whcih works better

Thank you for you help.

Harry

JSON array not onbaording as expected

props.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation