Getting Data In

Split json array of objects into multiple events

sboogaar
Path Finder

We have data structured in the following format:

[
  {
    "container_id": "1",
    "executor_id": "1",
    "framework_id": "2",
    "statistics": {
      "cpus_limit": 1,
      "cpus_nr_periods": 1
    },
    "status": {
      "container_id": {
        "value": "123"
      }
    }
  },
   {
    "container_id": "2",
    "executor_id": "1",
    "framework_id": "3",
    "statistics": {
      "cpus_limit": 1.1,
      "cpus_nr_periods": 2
    },
    "status": {
      "container_id": {
        "value": "124"
      }
    }
  }
]

We would like to split it into seperate events in a way that we end up with:

Event 1

 {
        "container_id": "1",
        "executor_id": "1",
        "framework_id": "2",
        "statistics": {
          "cpus_limit": 1,
          "cpus_nr_periods": 1
        },
        "status": {
          "container_id": {
            "value": "123"
          }
        }
      }

Event 2

{
        "container_id": "2",
        "executor_id": "1",
        "framework_id": "3",
        "statistics": {
          "cpus_limit": 1.1,
          "cpus_nr_periods": 2
        },
        "status": {
          "container_id": {
            "value": "124"
          }
        }
      }

We can not do a split by '},' as this would also split on

"cpus_nr_periods": }, "status": {

Is there any way we can split those events (on index time)

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Assuming your data isn't actually prettyprinted, you can have LINE_BREAKER = \}(,)\{ in your props.conf, alongside SHOULD_LINEMERGE = false. If your data is prettyprinted you'll need to allow whitespace between the comma and the opening curly brace.

martin_mueller
SplunkTrust
SplunkTrust

If your data is prettyprinted you'll need to allow whitespace between the comma and the opening curly brace.

\}(,\s*)\{

sboogaar
Path Finder

It is formatted exactly as I posted. I dont see how the linebreaker would work https://regexr.com/43084. We are not in control of the format as it is a response of a call to a DC/OS api

0 Karma
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...