Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: JSON events not splitting correctly
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pjohnson1
Path Finder
05-07-2020
06:47 PM
I have some data in the following format which does not split correctly.
The events get indexed as one event.
sample data
{"date": "5/8/2020", "time": "7:57:47 AM", "client": "187.45.18.205", "flags": "A", "query": "v1.addthisedge.com"}{"date": "5/8/2020", "time": "7:57:47 AM", "client": "188.35.138.205", "flags": "A", "query": "m.addthis.com"}{"date": "5/8/2020", "time": "7:57:47 AM", "client": "186.95.16.121", "flags": "A", "query": "cloud.acrobat.com"}
props.conf
[monitor:///data/dns/*/*/*/*.json.log]
INDEXED_EXTRACTIONS = json
KV_MODE = none
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
05-07-2020
07:30 PM
[monitor:///data/dns/*/*/*/*.json.log]
SHOULD_LINEMERGE = false
LINE_BREAKER = }(\s*)
NO_BINARY_CHECK = true
Well, if you cut it off, there's no problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
05-07-2020
07:30 PM
[monitor:///data/dns/*/*/*/*.json.log]
SHOULD_LINEMERGE = false
LINE_BREAKER = }(\s*)
NO_BINARY_CHECK = true
Well, if you cut it off, there's no problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
05-07-2020
07:25 PM
your JSON is not valid.
, is missing between objects( {\"date...} )
Both INDEXED_EXTRACTIONS and KV_MODE can't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pjohnson1
Path Finder
05-07-2020
10:30 PM
Thank you for answering. I fixed up the json output but still have an issue.
[{"date": "5/8/2020", "time": "7:57:47 AM", "client": "187.45.18.205", "flags": "A", "query": "v1.addthisedge.com"},{"date": "5/8/2020", "time": "7:57:47 AM", "client": "188.35.138.205", "flags": "A", "query": "m.addthis.com"},{"date": "5/8/2020", "time": "7:57:47 AM", "client": "186.95.16.121", "flags": "A", "query": "cloud.acrobat.com"}]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
05-07-2020
10:39 PM
I hope you look my answer before amended.
your json is valid now.
[monitor:///data/dns/*/*/*/*.json.log]
INDEXED_EXTRACTIONS = json
KV_MODE = none
it works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pjohnson1
Path Finder
05-08-2020
12:22 AM
Yes, I did. Thank you! 🙂
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
