Receiving multiple json events as one from third p...

aitymm · ‎12-19-2020

Hi everyone,

I`m receiving multiple JSON events as one event from third party application as showned below.

{"metric":"host1.adapter.DEMO.ALL.in.error","event":"metric","type":"m","value":0}
{"metric":"host1.adapter.DEMO.ALL.in.filter","event":"metric","type":"m","value":0}
{"metric":"host1.adapter.DEMO.ALL.in.total","event":"metric","type":"m","value":996}
{"metric":"host1.adapter.DEMO.ALL.out.error","event":"metric","type":"m","value":0}
{"metric":"host1.adapter.DEMO.ALL.out.total","event":"metric","type":"m","value":996}

I tried to use spath & mvexpand commands, to split it to a separate events. But couldn`t get results as i expected.
Finnaly, i need to apply my search to get total count by separate metric value as shown below:

source="tcp:10244" sourcetype="json_no_timestamp"| spath metric | search metric=" host1.adapter.DEMO.WebLogicInputFlow.out.total " | sort _time | autoregress "value" p=1 | eval diff=if(value>value_p1, max(value)-min(value_p1), null())  | timechart span=60s sum(diff) as total_count

here is my props.conf lines:

[adapter:json]
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false

Any help is appreciated.

Receiving multiple json events as one from third party application

heavy forwarder

JSON

props.conf

sourcetype

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation