Getting Data In

Read JSON

bardill
Explorer
Hi, I'm new to Splunk.
How do I have to set the props.conf in the indexer so that my JSON reads correctly?
I would like to have the fields: LOGTIME, CMDBID, RunID and Msg per event.
[{"LOGTIME" : "06-05-2021 11:27:12","CMDBID" : "TEST","RunID" : "356166995","Msg" : "************************************************************************
** ucxja64m version 12.2.0+build.2108 changelist 1530016094 **
** JOB 356166995 (ProcID:0012059010) START AT 04.05.2021 / 15:48:42 **
** UTC TIME 04.05.2021 / 13:48:42 **
** TEXT= Job started **
************************************************************************
total 72
drwxr-xr-x 11 utpuc4 utpuc4 8192 May 04 12:15 .
drwxr-xr-x 3 utxuc4 utxuc4 256 Aug 04 2020 ..
-rw------- 1 utpuc4 utpuc4 8546 Apr 27 13:02 .bash_history
drwxr-x--- 2 utpuc4 utpuc4 4096 Apr 27 10:38 .histfiles
-rw-r--r-- 1 utpuc4 utpuc4 0 Nov 06 2019 .lesshsQ
-rw------- 1 utpuc4 utpuc4 47 Mar 14 2019 .lesshst
-rw-r----- 1 utpuc4 utpuc4 1727 Aug 19 2019 .profile
drwx------ 2 utpuc4 utpuc4 256 Dec 23 2019 .ssh
drwxr-x--- 3 utpuc4 utpuc4 256 Aug 31 2018 CAPKI
drwxr-xr-x 6 utpuc4 utpuc4 256 Aug 20 2020 V12.3.3_2020-08-18
drwxr-x--- 6 utpuc4 utpuc4 256 Aug 30 2018 V122_HF1
drwxr-xr-x 2 utpuc4 utpuc4 256 Sep 04 2018 archive
lrwxrwxrwx 1 utpuc4 utpuc4 23 Jan 31 2019 global -> /var/uc4/uc4global/prod
lrwxrwxrwx 1 utpuc4 utpuc4 28 Sep 13 2018 java8_64 -> /opt/java/java8_64_8.0.0.521
lrwxrwxrwx 1 utpuc4 utpuc4 11 Sep 04 2018 latest -> ./V122_HF1/
drwxr-xr-x 2 utpuc4 utpuc4 256 Jul 13 2018 lost+found
drwxr-xr-x 3 utpuc4 utpuc4 256 Sep 03 2018 network
-rw------- 1 utpuc4 utpuc4 0 Aug 03 2020 nohup.out
drwxr-xr-x 7 utpuc4 utpuc4 256 Feb 17 2020 share
************************************************************************
** ucxja64m version 12.2.0+build.2108 changelist 1530016094 **
** JOB 356166995 (ProcID:0012059010) ENDED AT 04.05.2021 / 15:48:42 **
** UTC TIME 04.05.2021 / 13:48:42 **
** TEXT= Job ended RETCODE=00 **
************************************************************************
"},
{"LOGTIME" : "06-05-2021 11:27:12","CMDBID" : "TEST","RunID" : "356178213","Msg" : "************************************************************************
** ucxja64m version 12.2.0+build.2108 changelist 1530016094 **
** JOB 356178213 (ProcID:0023593346) START AT 04.05.2021 / 15:49:53 **
** UTC TIME 04.05.2021 / 13:49:53 **
** TEXT= Job started **
************************************************************************
total 72
drwxr-xr-x 11 utpuc4 utpuc4 8192 May 04 12:15 .
drwxr-xr-x 3 utxuc4 utxuc4 256 Aug 04 2020 ..
-rw------- 1 utpuc4 utpuc4 8546 Apr 27 13:02 .bash_history
drwxr-x--- 2 utpuc4 utpuc4 4096 Apr 27 10:38 .histfiles
-rw-r--r-- 1 utpuc4 utpuc4 0 Nov 06 2019 .lesshsQ
-rw------- 1 utpuc4 utpuc4 47 Mar 14 2019 .lesshst
-rw-r----- 1 utpuc4 utpuc4 1727 Aug 19 2019 .profile
drwx------ 2 utpuc4 utpuc4 256 Dec 23 2019 .ssh
drwxr-x--- 3 utpuc4 utpuc4 256 Aug 31 2018 CAPKI
drwxr-xr-x 6 utpuc4 utpuc4 256 Aug 20 2020 V12.3.3_2020-08-18
drwxr-x--- 6 utpuc4 utpuc4 256 Aug 30 2018 V122_HF1
drwxr-xr-x 2 utpuc4 utpuc4 256 Sep 04 2018 archive
lrwxrwxrwx 1 utpuc4 utpuc4 23 Jan 31 2019 global -> /var/uc4/uc4global/prod
lrwxrwxrwx 1 utpuc4 utpuc4 28 Sep 13 2018 java8_64 -> /opt/java/java8_64_8.0.0.521
lrwxrwxrwx 1 utpuc4 utpuc4 11 Sep 04 2018 latest -> ./V122_HF1/
drwxr-xr-x 2 utpuc4 utpuc4 256 Jul 13 2018 lost+found
drwxr-xr-x 3 utpuc4 utpuc4 256 Sep 03 2018 network
-rw------- 1 utpuc4 utpuc4 0 Aug 03 2020 nohup.out
drwxr-xr-x 7 utpuc4 utpuc4 256 Feb 17 2020 share
************************************************************************
** ucxja64m version 12.2.0+build.2108 changelist 1530016094 **
** JOB 356178213 (ProcID:0023593346) ENDED AT 04.05.2021 / 15:49:53 **
** UTC TIME 04.05.2021 / 13:49:53 **
** TEXT= Job ended RETCODE=00 **
************************************************************************
"}]

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Verify the data is valid JSON.  Splunk won't extract events from imperfect JSON events.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please share your current props.conf settings and the results you get using them.

---
If this reply helps you, Karma would be appreciated.
0 Karma

bardill
Explorer

hi

he break all lines?

this is the props.conf on the indexer

[automic_itil]
SHOULD_LINEMERGE = false
KV_MODE = NONE
INDEXED_EXTRACTIONS = JSON
LINE_BREAKER = \{\"LOGTIME
TIME_PREFIX = LOGTIME\"\s\:\s\"
TIME_FORMAT = %Y-%m-%d %H:%M:%S

 

bardill_0-1620381030546.png

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Verify the data is valid JSON.  Splunk won't extract events from imperfect JSON events.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...