Getting Data In

Receiving multiple json events as one from third party application

aitymm
Loves-to-Learn

Hi everyone,

I`m receiving multiple JSON events as one event from third party application as showned below.

 

{"metric":"host1.adapter.DEMO.ALL.in.error","event":"metric","type":"m","value":0}
{"metric":"host1.adapter.DEMO.ALL.in.filter","event":"metric","type":"m","value":0}
{"metric":"host1.adapter.DEMO.ALL.in.total","event":"metric","type":"m","value":996}
{"metric":"host1.adapter.DEMO.ALL.out.error","event":"metric","type":"m","value":0}
{"metric":"host1.adapter.DEMO.ALL.out.total","event":"metric","type":"m","value":996}

 

 

I tried to use spath & mvexpand commands, to split it to a separate events. But couldn`t get results  as i expected.
Finnaly, i need to apply my  search to get total count by separate metric value as shown below:

 

source="tcp:10244" sourcetype="json_no_timestamp"| spath metric | search metric=" host1.adapter.DEMO.WebLogicInputFlow.out.total " | sort _time | autoregress "value" p=1 | eval diff=if(value>value_p1, max(value)-min(value_p1), null())  | timechart span=60s sum(diff) as total_count

 

 

here is my props.conf lines:

[adapter:json]
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false

Any help is appreciated.

Labels (4)
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...