Getting Data In

REST input JSON event break

zubairsp
Explorer

Hello,

Need an urgent help.

I am using REST API Modular input and the problem is i am not able to set the parameter for event breaking, below is the sample log.

{ "User" : [ { "record_id" : "2", "email_address" : "dsfsdf@dfdf.net", "email_address_id" : "", "email_type" : "", "email_creation_date" : "", "email_last_update_date" : "2024-08-23T05:28:43.091+00:00", "user_id" : "54216542", "username" : "Audit.Test1", "suspended" : false, "person_id" : "", "credentials_email_sent" : "", "user_guid" : "21SD6F546S2SD5F46", "user_creation_date" : "2024-08-23T05:28:42.000+00:00", "user_last_update_date" : "2024-08-23T05:28:44.000+00:00" }, { "record_id" : "3", "email_address" : "XDCFSD@dfdf.net", "email_address_id" : "", "email_type" : "", "email_creation_date" : "", "email_last_update_date" : "2024-08-28T06:42:43.736+00:00", "user_id" : "300000019394603", "username" : "Assessment.Integration", "suspended" : false, "person_id" : "", "credentials_email_sent" : "", "user_guid" : "21SD6F546S2SD5F46545SDS45S", "user_creation_date" : "2024-08-28T06:42:43.000+00:00", "user_last_update_date" : "2024-08-28T06:42:47.000+00:00" }, { "record_id" : "1", "email_address" : "dfds@dfwsfe.com", "email_address_id" : "", "email_type" : "", "email_creation_date" : "", "email_last_update_date" : "2024-08-06T13:27:34.085+00:00", "user_id" : "5612156498213", "username" : "dfsv", "suspended" : false, "person_id" : "56121564963", "credentials_email_sent" : "", "user_guid" : "D564FSD2F8WEGV216S", "user_creation_date" : "2024-08-06T13:29:00.000+00:00", "user_last_update_date" : "2024-08-06T13:29:47.224+00:00" } ]}

Labels (1)
0 Karma
1 Solution

DavidHourani
Super Champion

Hi Zubair,

 

Try something like this:

[YOUR_SOURCETYPE]
SHOULD_LINEMERGE=true
LINE_BREAKER=(, )
TRUNCATE=9999999
BREAK_ONLY_BEFORE={
MUST_BREAK_AFTER=}
SEDCMD-cleanup-before=s/^\{ "User" : \[\s\{/{/g
SEDCMD-cleanup-after-2=s/\s\[\}/}/g

It's best if you can run that on a test instance first with some sample data to see how it works for you.

 

View solution in original post

DavidHourani
Super Champion

Hi Zubair,

 

Try something like this:

[YOUR_SOURCETYPE]
SHOULD_LINEMERGE=true
LINE_BREAKER=(, )
TRUNCATE=9999999
BREAK_ONLY_BEFORE={
MUST_BREAK_AFTER=}
SEDCMD-cleanup-before=s/^\{ "User" : \[\s\{/{/g
SEDCMD-cleanup-after-2=s/\s\[\}/}/g

It's best if you can run that on a test instance first with some sample data to see how it works for you.

 

zubairsp
Explorer

Anyone interested,

This solution worked just fine, however i ended up using the Addon builder instead since it was clean with less efforts.

There is an option in Addon builder called "event extraction settings" here i simply used the following settings $.User

This setting will break the events and also field/value pairs.

Cheers!

0 Karma

PaulPanther
Builder

Do you need help how to configure the props.conf or where to configure it?

0 Karma

zubairsp
Explorer

Sorry for not being clearer, however i need help with props attributes and regex to match event break

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...