Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lines break when indexing JSON data using props.conf attributes

anantdeshpande
Path Finder
‎08-21-2017 11:24 PM

Hi team,

I am not able to index below JSON data in Splunk 6.2 with below props.conf attributes. Its breaking at every line and treating as separate event with no field extraction. When I add the same file from Search head using add data option and selects _json as source type, the fields are correctly extracted. But do not work when mention same attributes and customized sourcetype name in props. Please suggest. 

Data:
{
  "messageId" : "VIPJAPAN40001JCOMPLETE2017220818015450",
  "messageType" : "EVENT",
  "sendingAppId" : "P1",
  "sendTimeStamp" : "2017-22-08T17:09:27.526-05:00",
}

Props:
[APP1_INOUT_App2]
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
disabled = false
DATETIME_CONFIG = CURRENT
0 Karma
Reply

rafiqrehman
New Member
‎08-26-2019 06:25 AM

This works perfect for json data, at least for me:

[sourcetype]
INDEXED_EXTRACTIONS=json
JSON_TRIM_BRACES_IN_ARRAY_NAMES=true
CHARSET = AUTO
MAX_DIFF_SECS_AGO = 604800
MAX_EVENTS = 10000
NO_BINARY_CHECK = 1
TRUNCATE = 0

0 Karma
Reply

vasanthmss
Motivator
‎08-22-2017 02:37 PM

Try the below config, 

[APP1_INOUT_App2]
DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
CHARSET=UTF-8
INDEXED_EXTRACTIONS=json
KV_MODE=none
pulldown_type=true
V
Reply

niketn
Legend
‎08-22-2017 03:10 AM

@anantdeshpande, Can you try with the following?

SHOULD_LINEMERGE = true
Also if you know event break pattern like start or end you should LINE_BREAKER, BREAK_ONLY_BEFORE, MUST_BREAK_AFTER etc. to identify events correctly. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking

Where is the field for timestamp in your data? Can you please one complete event as sample (or few)?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

anantdeshpande
Path Finder
‎08-22-2017 05:11 AM

I tried with both SHOULD_LINEMERGE = true and false, but same results.

I can write BREAK_ONLY_BEFORE = ^{ or (^){ - but JSON is recognized format by Splunk and I should not be writing other stuff like normal logs.

In my data there are multiple fields with time stamp.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...