Receiving multiple json events as one from third p...

aitymm · ‎12-19-2020

Hi everyone,

I`m receiving multiple JSON events as one event from third party application as showned below.

{"metric":"host1.adapter.DEMO.ALL.in.error","event":"metric","type":"m","value":0}
{"metric":"host1.adapter.DEMO.ALL.in.filter","event":"metric","type":"m","value":0}
{"metric":"host1.adapter.DEMO.ALL.in.total","event":"metric","type":"m","value":996}
{"metric":"host1.adapter.DEMO.ALL.out.error","event":"metric","type":"m","value":0}
{"metric":"host1.adapter.DEMO.ALL.out.total","event":"metric","type":"m","value":996}

I tried to use spath & mvexpand commands, to split it to a separate events. But couldn`t get results as i expected.
Finnaly, i need to apply my search to get total count by separate metric value as shown below:

source="tcp:10244" sourcetype="json_no_timestamp"| spath metric | search metric=" host1.adapter.DEMO.WebLogicInputFlow.out.total " | sort _time | autoregress "value" p=1 | eval diff=if(value>value_p1, max(value)-min(value_p1), null())  | timechart span=60s sum(diff) as total_count

here is my props.conf lines:

[adapter:json]
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false

Any help is appreciated.

Receiving multiple json events as one from third party application

heavy forwarder

JSON

props.conf

sourcetype

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?