Why do I have several JSON events showing as a sin...

moorvogi · ‎10-30-2018

I have 1-40 (or more) JSON objects that are seen as one event within Splunk. Each JSON object ends w/ the "}" character and is a valid JSON object. For whatever reason, there are just several JSON objects per one Splunk event.

How do i split this so it's one JSON entry per Splunk event?

pruthvikrishnap · ‎10-30-2018

Hi ,
There are multiple ways you can split the JSON events, you can try adding sedcmd to props.conf somnething like this.
[myJSON]
SEDCMD-remove_header = s/^(?:.\n){1,3}//g
SEDCMD-remove_footer = s/][\r\n]\s}.$//g
LINE_BREAKER = }(\s,[\r\n]\s*){`

else you can update a responsehandler which is a python class and use it in your inputs.
https://answers.splunk.com/answers/233620/how-to-use-custom-response-handlers-for-monitoring-1.html

i am not sure on what your scenario is

Why do I have several JSON events showing as a single Splunk event?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!