Re: Split list of JSON objects into events

shakSplunk · ‎06-06-2021

Hi all,

I had a previous question that got solved here:
https://community.splunk.com/t5/Getting-Data-In/Split-a-nested-json-array-with-key-value-pairs/m-p/5...

However, with a slight variation to the input json data, splunk is no longer separating out each object as an event (changed "Rows" into "Root" and "timestamp" into "Timestamp").

Similar to the question above, I have the following input data (this is nicely structured, whereas in the file it is instead one long line):

{
    "Root": [
        {
            "Timestamp": "03-06-2021 13:52:34",
            "Region": "rcc",
            "Hostname": "lx206",
            "Version": "123",
            "Environment": "E"
        },
        {
            "Timestamp": "03-06-2021 13:52:33",
            "Region": "rcc",
            "Hostname": "lx206",
            "Version": "123",
            "Environment": "E"
        },
        {
            "Timestamp": "03-06-2021 13:52:32",
            "Region": "rcc",
            "Hostname": "lx206",
            "Version": "123",
            "Environment": "S"
        },
        {
            "Timestamp": "03-06-2021 13:52:31",
            "Region": "rcc",
            "Hostname": "lx206",
            "Version": "123",
            "Catridge": "UPP",
            "CatridgeType": "Product",
            "Environment": "S"
        }
    ]
}

The following props.config was used before, however no longer works with the new data:

CHARSET=AUTO
DATETIME_CONFIG=
LINE_BREAKER=}(,){\"timestamp\"
NO_BINARY_CHECK=true
SEDCMD-a=s/{"Rows": \[//g
SEDCMD-b=s/\]}//g
SHOULD_LINEMERGE=false
disabled=false
pulldown_type=true
category=Custom

With the new input data, I've tried modifying the config file to produce the following, however one event is produced instead of separating each object into an event:

CHARSET=AUTO
DATETIME_CONFIG=
LINE_BREAKER=}(,){\"Timestamp\"
NO_BINARY_CHECK=true
SEDCMD-a=s/{"Root": \[//g
SEDCMD-b=s/\]}//g
TRUNCATE=0
SHOULD_LINEMERGE=false
disabled=false
pulldown_type=true
category=Custom

Any help would be greatly appreciated.

kamlesh_vaghela · ‎06-07-2021

@shakSplunk

This configuration works for me. Can you please try this?

LINE_BREAKER = }(,){\"Timestamp\"
NO_BINARY_CHECK = true
SEDCMD-a = s/{"Root": \[//g
SEDCMD-b = s/\]}//g
category = Custom
pulldown_type = true
disabled = false
BREAK_ONLY_BEFORE_DATE = 
SHOULD_LINEMERGE = false

My Sample data:

{"Root": [{"Timestamp": "03-06-2021 13:52:34","Region": "rcc","Hostname": "lx206","Version": "123","Environment": "E"},{"Timestamp": "03-06-2021 13:52:33","Region": "rcc","Hostname": "lx206","Version": "123","Environment": "E"},{"Timestamp": "03-06-2021 13:52:32","Region": "rcc","Hostname": "lx206","Version": "123","Environment": "S"},{"Timestamp": "03-06-2021 13:52:31","Region": "rcc","Hostname": "lx206","Version": "123","Catridge": "UPP","CatridgeType": "Product","Environment": "S"}]}

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Split list of JSON objects into events

JSON

props.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation