Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- REST input JSON event break
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Need an urgent help.
I am using REST API Modular input and the problem is i am not able to set the parameter for event breaking, below is the sample log.
{ "User" : [ { "record_id" : "2", "email_address" : "dsfsdf@dfdf.net", "email_address_id" : "", "email_type" : "", "email_creation_date" : "", "email_last_update_date" : "2024-08-23T05:28:43.091+00:00", "user_id" : "54216542", "username" : "Audit.Test1", "suspended" : false, "person_id" : "", "credentials_email_sent" : "", "user_guid" : "21SD6F546S2SD5F46", "user_creation_date" : "2024-08-23T05:28:42.000+00:00", "user_last_update_date" : "2024-08-23T05:28:44.000+00:00" }, { "record_id" : "3", "email_address" : "XDCFSD@dfdf.net", "email_address_id" : "", "email_type" : "", "email_creation_date" : "", "email_last_update_date" : "2024-08-28T06:42:43.736+00:00", "user_id" : "300000019394603", "username" : "Assessment.Integration", "suspended" : false, "person_id" : "", "credentials_email_sent" : "", "user_guid" : "21SD6F546S2SD5F46545SDS45S", "user_creation_date" : "2024-08-28T06:42:43.000+00:00", "user_last_update_date" : "2024-08-28T06:42:47.000+00:00" }, { "record_id" : "1", "email_address" : "dfds@dfwsfe.com", "email_address_id" : "", "email_type" : "", "email_creation_date" : "", "email_last_update_date" : "2024-08-06T13:27:34.085+00:00", "user_id" : "5612156498213", "username" : "dfsv", "suspended" : false, "person_id" : "56121564963", "credentials_email_sent" : "", "user_guid" : "D564FSD2F8WEGV216S", "user_creation_date" : "2024-08-06T13:29:00.000+00:00", "user_last_update_date" : "2024-08-06T13:29:47.224+00:00" } ]}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Zubair,
Try something like this:
[YOUR_SOURCETYPE]
SHOULD_LINEMERGE=true
LINE_BREAKER=(, )
TRUNCATE=9999999
BREAK_ONLY_BEFORE={
MUST_BREAK_AFTER=}
SEDCMD-cleanup-before=s/^\{ "User" : \[\s\{/{/g
SEDCMD-cleanup-after-2=s/\s\[\}/}/gIt's best if you can run that on a test instance first with some sample data to see how it works for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Zubair,
Try something like this:
[YOUR_SOURCETYPE]
SHOULD_LINEMERGE=true
LINE_BREAKER=(, )
TRUNCATE=9999999
BREAK_ONLY_BEFORE={
MUST_BREAK_AFTER=}
SEDCMD-cleanup-before=s/^\{ "User" : \[\s\{/{/g
SEDCMD-cleanup-after-2=s/\s\[\}/}/gIt's best if you can run that on a test instance first with some sample data to see how it works for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone interested,
This solution worked just fine, however i ended up using the Addon builder instead since it was clean with less efforts.
There is an option in Addon builder called "event extraction settings" here i simply used the following settings $.User
This setting will break the events and also field/value pairs.
Cheers!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you need help how to configure the props.conf or where to configure it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for not being clearer, however i need help with props attributes and regex to match event break
What’s New & Next in Splunk SOAR
Your Voice Matters! Help Us Shape the New Splunk Lantern Experience
September Community Champions: A Shoutout to Our Contributors!
