- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Lines break when indexing JSON data using prop...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lines break when indexing JSON data using props.conf attributes
Hi team,
I am not able to index below JSON data in Splunk 6.2 with below props.conf attributes. Its breaking at every line and treating as separate event with no field extraction. When I add the same file from Search head using add data option and selects _json as source type, the fields are correctly extracted. But do not work when mention same attributes and customized sourcetype name in props. Please suggest.
Data:
{
"messageId" : "VIPJAPAN40001JCOMPLETE2017220818015450",
"messageType" : "EVENT",
"sendingAppId" : "P1",
"sendTimeStamp" : "2017-22-08T17:09:27.526-05:00",
}
Props:
[APP1_INOUT_App2]
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
disabled = false
DATETIME_CONFIG = CURRENT
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works perfect for json data, at least for me:
[sourcetype]
INDEXED_EXTRACTIONS=json
JSON_TRIM_BRACES_IN_ARRAY_NAMES=true
CHARSET = AUTO
MAX_DIFF_SECS_AGO = 604800
MAX_EVENTS = 10000
NO_BINARY_CHECK = 1
TRUNCATE = 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the below config,
[APP1_INOUT_App2]
DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
CHARSET=UTF-8
INDEXED_EXTRACTIONS=json
KV_MODE=none
pulldown_type=true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@anantdeshpande, Can you try with the following?
SHOULD_LINEMERGE = true
Also if you know event break pattern like start or end you should LINE_BREAKER, BREAK_ONLY_BEFORE, MUST_BREAK_AFTER etc. to identify events correctly. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking
Where is the field for timestamp in your data? Can you please one complete event as sample (or few)?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried with both SHOULD_LINEMERGE = true and false, but same results.
I can write BREAK_ONLY_BEFORE = ^{ or (^){ - but JSON is recognized format by Splunk and I should not be writing other stuff like normal logs.
In my data there are multiple fields with time stamp.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
