Getting Data In

Split json array of objects into multiple events

sboogaar
Path Finder

We have data structured in the following format:

[
  {
    "container_id": "1",
    "executor_id": "1",
    "framework_id": "2",
    "statistics": {
      "cpus_limit": 1,
      "cpus_nr_periods": 1
    },
    "status": {
      "container_id": {
        "value": "123"
      }
    }
  },
   {
    "container_id": "2",
    "executor_id": "1",
    "framework_id": "3",
    "statistics": {
      "cpus_limit": 1.1,
      "cpus_nr_periods": 2
    },
    "status": {
      "container_id": {
        "value": "124"
      }
    }
  }
]

We would like to split it into seperate events in a way that we end up with:

Event 1

 {
        "container_id": "1",
        "executor_id": "1",
        "framework_id": "2",
        "statistics": {
          "cpus_limit": 1,
          "cpus_nr_periods": 1
        },
        "status": {
          "container_id": {
            "value": "123"
          }
        }
      }

Event 2

{
        "container_id": "2",
        "executor_id": "1",
        "framework_id": "3",
        "statistics": {
          "cpus_limit": 1.1,
          "cpus_nr_periods": 2
        },
        "status": {
          "container_id": {
            "value": "124"
          }
        }
      }

We can not do a split by '},' as this would also split on

"cpus_nr_periods": }, "status": {

Is there any way we can split those events (on index time)

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Assuming your data isn't actually prettyprinted, you can have LINE_BREAKER = \}(,)\{ in your props.conf, alongside SHOULD_LINEMERGE = false. If your data is prettyprinted you'll need to allow whitespace between the comma and the opening curly brace.

martin_mueller
SplunkTrust
SplunkTrust

If your data is prettyprinted you'll need to allow whitespace between the comma and the opening curly brace.

\}(,\s*)\{

sboogaar
Path Finder

It is formatted exactly as I posted. I dont see how the linebreaker would work https://regexr.com/43084. We are not in control of the format as it is a response of a call to a DC/OS api

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...