Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Parsing Multimetric Logs

grexo94
Engager
a week ago

Hi all,I am trying to parse multiple nested Multimetric logs as metrics and am failing.The following source type works when I read logs individually, e.g.


{"event":"metric","metric_name:my_metric_1":2,"metric_name:my_metric_2":2.1}

 

or pretty printed:


{
      "event": "metric",
      "metric_name:my_metric_1": 2.0,
      "metric_name:my_metric_2": 2.1
    }[json_metrics_singleevent]
SHOULD_LINEMERGE = false
INDEXED_EXTRACTIONS = JSON
KV_MODE = none

____________________________________________________________________________
in reality, logs look like this:
{"data":[{"event":"metric","metric_name:my_metric_1":0,"metric_name:my_metric_2":0.1},{"event":"metric","metric_name:my_metric_1":1,"metric_name:my_metric_2":1.1},{"event":"metric","metric_name:my_metric_1":2,"metric_name:my_metric_2":2.1}]}or pretty printed:{
  "data": [
    {
      "event": "metric",
      "metric_name:my_metric_1": 0.0,
      "metric_name:my_metric_2": 0.1
    },
    {
      "event": "metric",
      "metric_name:my_metric_1": 1.0,
      "metric_name:my_metric_2": 1.1
    },
    {
      "event": "metric",
      "metric_name:my_metric_1": 2.0,
      "metric_name:my_metric_2": 2.1
    }
  ]
}

 

Sourcetype:

[json_metrics_multievents]
SHOULD_LINEMERGE = false
INDEXED_EXTRACTIONS = JSON
LINE_BREAKER = (\{\"data\"\:\[)|(\,)\{"event|(\]\})

 

--> doesn't work. I am getting the response, the logs are not properly structured.Can someone help please?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
Saturday

@grexo94 - Basically, I think the problem you have is with JSON List. There are two approaches that I could think of from which you can start:

 

I hope this helps!!! 

View solution in original post

Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
Saturday

@grexo94 - Basically, I think the problem you have is with JSON List. There are two approaches that I could think of from which you can start:

 

I hope this helps!!! 

Reply
Solved! Jump to solution

grexo94
Engager
4 hours ago

thank you, yes, these will be my plan b & c's.

 

I was wondering why i simply cannot use a linebreaker the way i am used to for event-indexing, but i simply accept that for logs that i want to index as metrics

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...