Receiving multiple json events as one from third p...

aitymm · ‎12-19-2020

Hi everyone,

I`m receiving multiple JSON events as one event from third party application as showned below.

{"metric":"host1.adapter.DEMO.ALL.in.error","event":"metric","type":"m","value":0}
{"metric":"host1.adapter.DEMO.ALL.in.filter","event":"metric","type":"m","value":0}
{"metric":"host1.adapter.DEMO.ALL.in.total","event":"metric","type":"m","value":996}
{"metric":"host1.adapter.DEMO.ALL.out.error","event":"metric","type":"m","value":0}
{"metric":"host1.adapter.DEMO.ALL.out.total","event":"metric","type":"m","value":996}

I tried to use spath & mvexpand commands, to split it to a separate events. But couldn`t get results as i expected.
Finnaly, i need to apply my search to get total count by separate metric value as shown below:

source="tcp:10244" sourcetype="json_no_timestamp"| spath metric | search metric=" host1.adapter.DEMO.WebLogicInputFlow.out.total " | sort _time | autoregress "value" p=1 | eval diff=if(value>value_p1, max(value)-min(value_p1), null())  | timechart span=60s sum(diff) as total_count

here is my props.conf lines:

[adapter:json]
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false

Any help is appreciated.

Receiving multiple json events as one from third party application

heavy forwarder

JSON

props.conf

sourcetype

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation