Getting Data In

JSON events not splitting correctly

pjohnson1
Path Finder

I have some data in the following format which does not split correctly.

The events get indexed as one event.

sample data

{"date": "5/8/2020", "time": "7:57:47 AM", "client": "187.45.18.205", "flags": "A", "query": "v1.addthisedge.com"}{"date": "5/8/2020", "time": "7:57:47 AM", "client": "188.35.138.205", "flags": "A", "query": "m.addthis.com"}{"date": "5/8/2020", "time": "7:57:47 AM", "client": "186.95.16.121", "flags": "A", "query": "cloud.acrobat.com"}

props.conf

[monitor:///data/dns/*/*/*/*.json.log]
INDEXED_EXTRACTIONS = json
KV_MODE = none
Labels (3)
Tags (1)
0 Karma
1 Solution

to4kawa
Ultra Champion
[monitor:///data/dns/*/*/*/*.json.log]
SHOULD_LINEMERGE = false
LINE_BREAKER = }(\s*)
NO_BINARY_CHECK = true

Well, if you cut it off, there's no problem.

View solution in original post

to4kawa
Ultra Champion
[monitor:///data/dns/*/*/*/*.json.log]
SHOULD_LINEMERGE = false
LINE_BREAKER = }(\s*)
NO_BINARY_CHECK = true

Well, if you cut it off, there's no problem.

to4kawa
Ultra Champion

your JSON is not valid.
, is missing between objects( {\"date...} )
Both INDEXED_EXTRACTIONS and KV_MODE can't work.

0 Karma

pjohnson1
Path Finder

Thank you for answering. I fixed up the json output but still have an issue.

 [{"date": "5/8/2020", "time": "7:57:47 AM", "client": "187.45.18.205", "flags": "A", "query": "v1.addthisedge.com"},{"date": "5/8/2020", "time": "7:57:47 AM", "client": "188.35.138.205", "flags": "A", "query": "m.addthis.com"},{"date": "5/8/2020", "time": "7:57:47 AM", "client": "186.95.16.121", "flags": "A", "query": "cloud.acrobat.com"}]
0 Karma

to4kawa
Ultra Champion

I hope you look my answer before amended.

your json is valid now.

 [monitor:///data/dns/*/*/*/*.json.log]
 INDEXED_EXTRACTIONS = json
 KV_MODE = none

it works.

0 Karma

pjohnson1
Path Finder

Yes, I did. Thank you! 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...