Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

break a json log

gcusello
SplunkTrust
SplunkTrust
‎09-11-2020 04:00 AM

Hi at all,

I have a json log that in a single json contains many events:

 

{"response":{"caseEvents":[{"eventDetails":{"eventDescription":"SCT","eventId":"TRX8551","eventTime":"2020-06-24T13:21:00.664+00:00","eventType":"PAYMENT"}},{"eventDetails":{"eventDescription":"SCT","eventId":"TRX8552","eventTime":"2020-06-24T13:21:01.664+00:00","eventType":"PAYMENT"}}}]}

 

in the same json I have many eventDetails section (here only two with few fields, but they are many more).

I tried to use:

 

 indexed_extractions=JSON

 

and

 

LINE_BREAKER  = \{\"eventDetails\"

 

but it still remains one.

How can I approach the problem?

Ciao.

Giuseppe

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎09-12-2020 11:16 PM

@gcusello 

please have a look at below 

 

[ __auto__learned__ ]
SHOULD_LINEMERGE=true
LINE_BREAKER=(\{\"eventDetails\"\:)
NO_BINARY_CHECK=true
SEDCMD-tailchars=s/(.*\"\}{1}).*/\1/g

 

Added SEDCMD class to remove unwanted characters at end of the line.

you need to deal with pre-text which is in first event.

 json-parser-1.png

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎09-12-2020 11:16 PM

@gcusello 

please have a look at below 

 

[ __auto__learned__ ]
SHOULD_LINEMERGE=true
LINE_BREAKER=(\{\"eventDetails\"\:)
NO_BINARY_CHECK=true
SEDCMD-tailchars=s/(.*\"\}{1}).*/\1/g

 

Added SEDCMD class to remove unwanted characters at end of the line.

you need to deal with pre-text which is in first event.

 json-parser-1.png

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

uwehermann
Engager
‎09-11-2020 06:23 AM

Well, depending on the formatting of the json log files, you at least need the following in props.conf:

SHOULD_LINEMERGE = false

If the data is not prettyprinted, the following should help:

LINE_BREAKER= \}(,)\{

If the data is prettyprinted, the following may be used to allow for whitespaces between the comma and the curly brace:

LINE_BREAKER = \}(,\s*)\{

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎09-11-2020 04:45 AM

would there be any option to split them before indexing to Splunk? instead of depending on props.conf , is it possible to make changes in modular inputs if you are using one?

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-11-2020 05:53 AM

Hi @thambisetty,

I'd like to avoid to pre-elaborate the source with a script before indexing!

I'd like to find a way to split events in Splunk.

Have you another idea?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...