Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is JSON parsing events inconsistently?

LealP
Explorer
‎06-01-2023 05:23 AM

Hello,

I have an issue with the json data that is being ingested into Splunk using Universal Forwarder. Some times the json entries are ingested as individual entries in Splunk and other times the entire content is loaded as one single event. I tried to search for some special characters that might be causing this issue, but I wasn't able to find any.  Attached is a print screen with 2 examples, one that is being loaded as expected and the another where json is not correctly parsed.

Did someone already faced something similar? What should I do to fix it?

Labels (3)
Labels
Preview file
177 KB
0 Karma
Reply

LealP
Explorer
‎06-01-2023 08:15 AM

@richgalloway  here is the props.conf content:

CHARSET = UTF-8
LINE_BREAKER_LOOKBEHIND = 100
TRUNCATE = 10000
LB_CHUNK_BREAKER_TRUNCATE = 2000000
DATETIME_CONFIG = /etc/datetime.xml
ADD_EXTRA_TIME_FIELDS = True
ANNOTATE_PUNCT = True
HEADER_MODE =
MATCH_LIMIT = 100000
DEPTH_LIMIT = 1000
MAX_DAYS_HENCE=2
MAX_DAYS_AGO=2000
MAX_DIFF_SECS_AGO=3600
MAX_DIFF_SECS_HENCE=604800
MAX_TIMESTAMP_LOOKAHEAD = 128
DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE =
BREAK_ONLY_BEFORE_DATE = True
MAX_EVENTS = 256
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
TRANSFORMS =
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
LEARN_SOURCETYPE = true
LEARN_MODEL = true
termFrequencyWeightedDist = false
maxDist = 100
AUTO_KV_JSON = true
detect_trailing_nulls = false
sourcetype =
priority =

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-01-2023 08:38 AM

Assuming that is the correct set of props (I wonder because BREAK_ONLY_BEFORE_DATE is true and yet events are  not broken at dates) then these settings may help.  Put them in $SPLUNK_HOME/etc/system/local/props.conf and restart the indexers.

[<<mysourcetype>>]
TIME_PREFIX = timestamp" : "
TIME_FORMAT = %Y-%m-%d %H:%M:%S
LINE_BREAKER = ([\r\n]+)\{"severity
TRUNCATE = 10000
MAX_TIMESTAMP_LOOKAHEAD = 128
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE_DATE = false
AUTO_KV_JSON = true

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

LealP
Explorer
‎06-01-2023 06:56 AM

@richgalloway  do you know which one is used?

./splunkforwarder/etc/apps/search/default/props.conf
./splunkforwarder/etc/apps/SplunkUniversalForwarder/default/props.conf
./splunkforwarder/etc/apps/learned/local/props.conf
./splunkforwarder/etc/apps/splunk_internal_metrics/default/props.conf
./splunkforwarder/etc/system/default/props.conf

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-01-2023 07:30 AM

All of them.  Splunk merges the settings from all of the props.conf files to arrive at a final configuration.  You can use btool to get the same information.

splunk btool props list <<mysourcetype>>

Replace <<mysourcetype>> with the name of the sourcetype used by this input.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-01-2023 05:49 AM

It looks like the LINE_BREAKER setting may need to be adjusted.  Please share the props.conf stanza for this input and we'll suggest some changes.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...