Getting Data In

REST input JSON event break

zubairsp
Explorer

Hello,

Need an urgent help.

I am using REST API Modular input and the problem is i am not able to set the parameter for event breaking, below is the sample log.

{ "User" : [ { "record_id" : "2", "email_address" : "dsfsdf@dfdf.net", "email_address_id" : "", "email_type" : "", "email_creation_date" : "", "email_last_update_date" : "2024-08-23T05:28:43.091+00:00", "user_id" : "54216542", "username" : "Audit.Test1", "suspended" : false, "person_id" : "", "credentials_email_sent" : "", "user_guid" : "21SD6F546S2SD5F46", "user_creation_date" : "2024-08-23T05:28:42.000+00:00", "user_last_update_date" : "2024-08-23T05:28:44.000+00:00" }, { "record_id" : "3", "email_address" : "XDCFSD@dfdf.net", "email_address_id" : "", "email_type" : "", "email_creation_date" : "", "email_last_update_date" : "2024-08-28T06:42:43.736+00:00", "user_id" : "300000019394603", "username" : "Assessment.Integration", "suspended" : false, "person_id" : "", "credentials_email_sent" : "", "user_guid" : "21SD6F546S2SD5F46545SDS45S", "user_creation_date" : "2024-08-28T06:42:43.000+00:00", "user_last_update_date" : "2024-08-28T06:42:47.000+00:00" }, { "record_id" : "1", "email_address" : "dfds@dfwsfe.com", "email_address_id" : "", "email_type" : "", "email_creation_date" : "", "email_last_update_date" : "2024-08-06T13:27:34.085+00:00", "user_id" : "5612156498213", "username" : "dfsv", "suspended" : false, "person_id" : "56121564963", "credentials_email_sent" : "", "user_guid" : "D564FSD2F8WEGV216S", "user_creation_date" : "2024-08-06T13:29:00.000+00:00", "user_last_update_date" : "2024-08-06T13:29:47.224+00:00" } ]}

Labels (1)
0 Karma
1 Solution

DavidHourani
Super Champion

Hi Zubair,

 

Try something like this:

[YOUR_SOURCETYPE]
SHOULD_LINEMERGE=true
LINE_BREAKER=(, )
TRUNCATE=9999999
BREAK_ONLY_BEFORE={
MUST_BREAK_AFTER=}
SEDCMD-cleanup-before=s/^\{ "User" : \[\s\{/{/g
SEDCMD-cleanup-after-2=s/\s\[\}/}/g

It's best if you can run that on a test instance first with some sample data to see how it works for you.

 

View solution in original post

DavidHourani
Super Champion

Hi Zubair,

 

Try something like this:

[YOUR_SOURCETYPE]
SHOULD_LINEMERGE=true
LINE_BREAKER=(, )
TRUNCATE=9999999
BREAK_ONLY_BEFORE={
MUST_BREAK_AFTER=}
SEDCMD-cleanup-before=s/^\{ "User" : \[\s\{/{/g
SEDCMD-cleanup-after-2=s/\s\[\}/}/g

It's best if you can run that on a test instance first with some sample data to see how it works for you.

 

zubairsp
Explorer

Anyone interested,

This solution worked just fine, however i ended up using the Addon builder instead since it was clean with less efforts.

There is an option in Addon builder called "event extraction settings" here i simply used the following settings $.User

This setting will break the events and also field/value pairs.

Cheers!

0 Karma

PaulPanther
Builder

Do you need help how to configure the props.conf or where to configure it?

0 Karma

zubairsp
Explorer

Sorry for not being clearer, however i need help with props attributes and regex to match event break

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...