Solved: Re: REST input JSON event break

zubairsp · ‎08-28-2024

Hello,

Need an urgent help.

I am using REST API Modular input and the problem is i am not able to set the parameter for event breaking, below is the sample log.

{ "User" : [ { "record_id" : "2", "email_address" : "dsfsdf@dfdf.net", "email_address_id" : "", "email_type" : "", "email_creation_date" : "", "email_last_update_date" : "2024-08-23T05:28:43.091+00:00", "user_id" : "54216542", "username" : "Audit.Test1", "suspended" : false, "person_id" : "", "credentials_email_sent" : "", "user_guid" : "21SD6F546S2SD5F46", "user_creation_date" : "2024-08-23T05:28:42.000+00:00", "user_last_update_date" : "2024-08-23T05:28:44.000+00:00" }, { "record_id" : "3", "email_address" : "XDCFSD@dfdf.net", "email_address_id" : "", "email_type" : "", "email_creation_date" : "", "email_last_update_date" : "2024-08-28T06:42:43.736+00:00", "user_id" : "300000019394603", "username" : "Assessment.Integration", "suspended" : false, "person_id" : "", "credentials_email_sent" : "", "user_guid" : "21SD6F546S2SD5F46545SDS45S", "user_creation_date" : "2024-08-28T06:42:43.000+00:00", "user_last_update_date" : "2024-08-28T06:42:47.000+00:00" }, { "record_id" : "1", "email_address" : "dfds@dfwsfe.com", "email_address_id" : "", "email_type" : "", "email_creation_date" : "", "email_last_update_date" : "2024-08-06T13:27:34.085+00:00", "user_id" : "5612156498213", "username" : "dfsv", "suspended" : false, "person_id" : "56121564963", "credentials_email_sent" : "", "user_guid" : "D564FSD2F8WEGV216S", "user_creation_date" : "2024-08-06T13:29:00.000+00:00", "user_last_update_date" : "2024-08-06T13:29:47.224+00:00" } ]}

DavidHourani · ‎08-28-2024

Hi Zubair,

Try something like this:

[YOUR_SOURCETYPE]
SHOULD_LINEMERGE=true
LINE_BREAKER=(, )
TRUNCATE=9999999
BREAK_ONLY_BEFORE={
MUST_BREAK_AFTER=}
SEDCMD-cleanup-before=s/^\{ "User" : \[\s\{/{/g
SEDCMD-cleanup-after-2=s/\s\[\}/}/g

It's best if you can run that on a test instance first with some sample data to see how it works for you.

View solution in original post

DavidHourani · ‎08-28-2024

Hi Zubair,

Try something like this:

[YOUR_SOURCETYPE]
SHOULD_LINEMERGE=true
LINE_BREAKER=(, )
TRUNCATE=9999999
BREAK_ONLY_BEFORE={
MUST_BREAK_AFTER=}
SEDCMD-cleanup-before=s/^\{ "User" : \[\s\{/{/g
SEDCMD-cleanup-after-2=s/\s\[\}/}/g

It's best if you can run that on a test instance first with some sample data to see how it works for you.

zubairsp · ‎08-29-2024

Anyone interested,

This solution worked just fine, however i ended up using the Addon builder instead since it was clean with less efforts.

There is an option in Addon builder called "event extraction settings" here i simply used the following settings $.User

This setting will break the events and also field/value pairs.

Cheers!

PaulPanther · ‎08-28-2024

Do you need help how to configure the props.conf or where to configure it?

zubairsp · ‎08-28-2024

Sorry for not being clearer, however i need help with props attributes and regex to match event break

REST input JSON event break

JSON

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation