Solved: Re: Need help with a custom source type

pir8radio · ‎06-25-2021

Hi, starting fresh. maybe I can explain a bit better here.. I found another similar issue to mine here: https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-json-array-into-multiple-events-with-... I need it to break out the 20+ items in the string. For some reason setting up my source type like in this post, just gives me the first user worth of info. It doesnt break them all out.. Here is a dump of one of the raw json requests. its truncated at then end, looking into that. But i basically need to break out each user in this list with their stats just like that previous post above talks about. any help would be appreciated.

Spoiler

kamlesh_vaghela · ‎06-27-2021

@pir8radio

Can you please try this?

[YOUR_SOURCETYPE]
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE=true
LINE_BREAKER=}(\,){\"address\"
CHARSET=UTF-8
SEDCMD-a=s/{"miners":\[//g
SEDCMD-b=s/(\].*)//g

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela · ‎06-27-2021

@pir8radio

Can you please try this?

[YOUR_SOURCETYPE]
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE=true
LINE_BREAKER=}(\,){\"address\"
CHARSET=UTF-8
SEDCMD-a=s/{"miners":\[//g
SEDCMD-b=s/(\].*)//g

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

pir8radio · ‎06-28-2021

looks like it is working with the below config.. thank you! 😄

pir8radio · ‎06-28-2021

it will not let me set "should_linemerge=true" with line_breaker set to

}(\,){\"address\"

kamlesh_vaghela · ‎06-27-2021

@pir8radio

Can you please share your configuration?

KV

pir8radio · ‎06-27-2021

This is how i have it configured today, but it only grabs the first user "Pir8radio" ignores the rest.

And this is result, but result is only the first array item. not the rest of them.

kamlesh_vaghela · ‎06-27-2021

@pir8radio

Your shared JSON looks invalid. Can you please share valid _raw event?

KV

pir8radio · ‎06-27-2021

Hope i made sense. 🙂

pir8radio · ‎06-27-2021

I am using splunk REST plugin to grab json data. Plugin may strip raw info i am not sure. But here is the real API json data: https://signapool.notallmine.net/api/getMiners

@kamlesh_vaghela If you can make input work with raw json i can just write a script that grabs json and puts it into a text file every 2 mins and not use REST plugin.

pir8radio · ‎06-27-2021

I guess the community isnt as active any more.. 😞

pir8radio · ‎06-26-2021

must be harder than i thought....... 🙂

Need help with a custom source type

sourcetype

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Need help with a custom source type

sourcetype

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future