Receiving multiple json events as one from third p...

aitymm · ‎12-19-2020

Hi everyone,

I`m receiving multiple JSON events as one event from third party application as showned below.

{"metric":"host1.adapter.DEMO.ALL.in.error","event":"metric","type":"m","value":0}
{"metric":"host1.adapter.DEMO.ALL.in.filter","event":"metric","type":"m","value":0}
{"metric":"host1.adapter.DEMO.ALL.in.total","event":"metric","type":"m","value":996}
{"metric":"host1.adapter.DEMO.ALL.out.error","event":"metric","type":"m","value":0}
{"metric":"host1.adapter.DEMO.ALL.out.total","event":"metric","type":"m","value":996}

I tried to use spath & mvexpand commands, to split it to a separate events. But couldn`t get results as i expected.
Finnaly, i need to apply my search to get total count by separate metric value as shown below:

source="tcp:10244" sourcetype="json_no_timestamp"| spath metric | search metric=" host1.adapter.DEMO.WebLogicInputFlow.out.total " | sort _time | autoregress "value" p=1 | eval diff=if(value>value_p1, max(value)-min(value_p1), null())  | timechart span=60s sum(diff) as total_count

here is my props.conf lines:

[adapter:json]
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false

Any help is appreciated.

Receiving multiple json events as one from third party application

heavy forwarder

JSON

props.conf

sourcetype

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms