Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

There are multiple json messages in _raw into a HEC and splitting them doesn't quite get what I need?

loganseth
Path Finder
‎11-28-2022 06:33 PM

Greetings.

We recently turned on a HEC and have JSON data coming in and I have noticed that multiple JSON blobs are embedded in _raw.  I searched several solutions and found one that actually did parse _raw into a new colum "split_raw" and then I went so far as to try

 

 

| eval raw=split_raw

 

 

but when I do

 

 

| table *

 

 

it still shows all the data from the first entry only

I think my questions are:

1. the ones that are 'multiple json entries' I think is when 'a bunch arrive at about the same time' - so is there a way to FORCE these to split at ingestion (to guarantee 1:1 json-to-event)? my guess is i may need to play with my source_type, but looking for some guidance/thoughts.

2. if not, will have to split them (like the link above) and then do some processing on the new split_raw field?

Thank you so much for leads and thoughts on this!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎11-28-2022 10:05 PM

Split mangled data at search time should be your last resort.  If you only recently started this HEC, better start over.

Line breaking (more correctly, the document is about event breaking) is the foundation of data ingestion; it is highly tunable.   Your source developer should make every effort to make sure Splunk can break events easily.  For example, does the source insert a new line ("\n") after each JSON event?  Is there some marker to mark the beginning and end of an event?

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎11-28-2022 10:05 PM

Split mangled data at search time should be your last resort.  If you only recently started this HEC, better start over.

Line breaking (more correctly, the document is about event breaking) is the foundation of data ingestion; it is highly tunable.   Your source developer should make every effort to make sure Splunk can break events easily.  For example, does the source insert a new line ("\n") after each JSON event?  Is there some marker to mark the beginning and end of an event?

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-30-2022 02:01 PM

It's also worth noting that if you submit your events to /event endpoint, you skip some pipeline steps completely (most notably event breaking and - by default - timestamp parsing).

0 Karma
Reply
Solved! Jump to solution

loganseth
Path Finder
‎11-30-2022 09:36 AM

thank you for this perspective. that's how i felt, as well, that

Split mangled data at search time should be your last resort.

i did some research on LINE_BREAK and went back to the default \n\s one I found (I had changed it) and premlinary results are going great!!

Tags (1)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...