Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Read JSON

bardill
Explorer
‎05-06-2021 02:48 AM 
Hi, I'm new to Splunk.
How do I have to set the props.conf in the indexer so that my JSON reads correctly?
I would like to have the fields: LOGTIME, CMDBID, RunID and Msg per event.
[{"LOGTIME" : "06-05-2021 11:27:12","CMDBID" : "TEST","RunID" : "356166995","Msg" : "************************************************************************
** ucxja64m version 12.2.0+build.2108 changelist 1530016094 **
** JOB 356166995 (ProcID:0012059010) START AT 04.05.2021 / 15:48:42 **
** UTC TIME 04.05.2021 / 13:48:42 **
** TEXT= Job started **
************************************************************************
total 72
drwxr-xr-x 11 utpuc4 utpuc4 8192 May 04 12:15 .
drwxr-xr-x 3 utxuc4 utxuc4 256 Aug 04 2020 ..
-rw------- 1 utpuc4 utpuc4 8546 Apr 27 13:02 .bash_history
drwxr-x--- 2 utpuc4 utpuc4 4096 Apr 27 10:38 .histfiles
-rw-r--r-- 1 utpuc4 utpuc4 0 Nov 06 2019 .lesshsQ
-rw------- 1 utpuc4 utpuc4 47 Mar 14 2019 .lesshst
-rw-r----- 1 utpuc4 utpuc4 1727 Aug 19 2019 .profile
drwx------ 2 utpuc4 utpuc4 256 Dec 23 2019 .ssh
drwxr-x--- 3 utpuc4 utpuc4 256 Aug 31 2018 CAPKI
drwxr-xr-x 6 utpuc4 utpuc4 256 Aug 20 2020 V12.3.3_2020-08-18
drwxr-x--- 6 utpuc4 utpuc4 256 Aug 30 2018 V122_HF1
drwxr-xr-x 2 utpuc4 utpuc4 256 Sep 04 2018 archive
lrwxrwxrwx 1 utpuc4 utpuc4 23 Jan 31 2019 global -> /var/uc4/uc4global/prod
lrwxrwxrwx 1 utpuc4 utpuc4 28 Sep 13 2018 java8_64 -> /opt/java/java8_64_8.0.0.521
lrwxrwxrwx 1 utpuc4 utpuc4 11 Sep 04 2018 latest -> ./V122_HF1/
drwxr-xr-x 2 utpuc4 utpuc4 256 Jul 13 2018 lost+found
drwxr-xr-x 3 utpuc4 utpuc4 256 Sep 03 2018 network
-rw------- 1 utpuc4 utpuc4 0 Aug 03 2020 nohup.out
drwxr-xr-x 7 utpuc4 utpuc4 256 Feb 17 2020 share
************************************************************************
** ucxja64m version 12.2.0+build.2108 changelist 1530016094 **
** JOB 356166995 (ProcID:0012059010) ENDED AT 04.05.2021 / 15:48:42 **
** UTC TIME 04.05.2021 / 13:48:42 **
** TEXT= Job ended RETCODE=00 **
************************************************************************
"},
{"LOGTIME" : "06-05-2021 11:27:12","CMDBID" : "TEST","RunID" : "356178213","Msg" : "************************************************************************
** ucxja64m version 12.2.0+build.2108 changelist 1530016094 **
** JOB 356178213 (ProcID:0023593346) START AT 04.05.2021 / 15:49:53 **
** UTC TIME 04.05.2021 / 13:49:53 **
** TEXT= Job started **
************************************************************************
total 72
drwxr-xr-x 11 utpuc4 utpuc4 8192 May 04 12:15 .
drwxr-xr-x 3 utxuc4 utxuc4 256 Aug 04 2020 ..
-rw------- 1 utpuc4 utpuc4 8546 Apr 27 13:02 .bash_history
drwxr-x--- 2 utpuc4 utpuc4 4096 Apr 27 10:38 .histfiles
-rw-r--r-- 1 utpuc4 utpuc4 0 Nov 06 2019 .lesshsQ
-rw------- 1 utpuc4 utpuc4 47 Mar 14 2019 .lesshst
-rw-r----- 1 utpuc4 utpuc4 1727 Aug 19 2019 .profile
drwx------ 2 utpuc4 utpuc4 256 Dec 23 2019 .ssh
drwxr-x--- 3 utpuc4 utpuc4 256 Aug 31 2018 CAPKI
drwxr-xr-x 6 utpuc4 utpuc4 256 Aug 20 2020 V12.3.3_2020-08-18
drwxr-x--- 6 utpuc4 utpuc4 256 Aug 30 2018 V122_HF1
drwxr-xr-x 2 utpuc4 utpuc4 256 Sep 04 2018 archive
lrwxrwxrwx 1 utpuc4 utpuc4 23 Jan 31 2019 global -> /var/uc4/uc4global/prod
lrwxrwxrwx 1 utpuc4 utpuc4 28 Sep 13 2018 java8_64 -> /opt/java/java8_64_8.0.0.521
lrwxrwxrwx 1 utpuc4 utpuc4 11 Sep 04 2018 latest -> ./V122_HF1/
drwxr-xr-x 2 utpuc4 utpuc4 256 Jul 13 2018 lost+found
drwxr-xr-x 3 utpuc4 utpuc4 256 Sep 03 2018 network
-rw------- 1 utpuc4 utpuc4 0 Aug 03 2020 nohup.out
drwxr-xr-x 7 utpuc4 utpuc4 256 Feb 17 2020 share
************************************************************************
** ucxja64m version 12.2.0+build.2108 changelist 1530016094 **
** JOB 356178213 (ProcID:0023593346) ENDED AT 04.05.2021 / 15:49:53 **
** UTC TIME 04.05.2021 / 13:49:53 **
** TEXT= Job ended RETCODE=00 **
************************************************************************
"}]

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-07-2021 07:23 AM

Verify the data is valid JSON.  Splunk won't extract events from imperfect JSON events.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-06-2021 06:01 AM

Please share your current props.conf settings and the results you get using them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

bardill
Explorer
‎05-07-2021 02:51 AM

hi

he break all lines?

this is the props.conf on the indexer

[automic_itil]
SHOULD_LINEMERGE = false
KV_MODE = NONE
INDEXED_EXTRACTIONS = JSON
LINE_BREAKER = \{\"LOGTIME
TIME_PREFIX = LOGTIME\"\s\:\s\"
TIME_FORMAT = %Y-%m-%d %H:%M:%S

 

bardill_0-1620381030546.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-07-2021 07:23 AM

Verify the data is valid JSON.  Splunk won't extract events from imperfect JSON events.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...