Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

break a json log

gcusello
SplunkTrust
SplunkTrust
‎09-11-2020 04:00 AM

Hi at all,

I have a json log that in a single json contains many events:

 

{"response":{"caseEvents":[{"eventDetails":{"eventDescription":"SCT","eventId":"TRX8551","eventTime":"2020-06-24T13:21:00.664+00:00","eventType":"PAYMENT"}},{"eventDetails":{"eventDescription":"SCT","eventId":"TRX8552","eventTime":"2020-06-24T13:21:01.664+00:00","eventType":"PAYMENT"}}}]}

 

in the same json I have many eventDetails section (here only two with few fields, but they are many more).

I tried to use:

 

 indexed_extractions=JSON

 

and

 

LINE_BREAKER  = \{\"eventDetails\"

 

but it still remains one.

How can I approach the problem?

Ciao.

Giuseppe

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎09-12-2020 11:16 PM

@gcusello 

please have a look at below 

 

[ __auto__learned__ ]
SHOULD_LINEMERGE=true
LINE_BREAKER=(\{\"eventDetails\"\:)
NO_BINARY_CHECK=true
SEDCMD-tailchars=s/(.*\"\}{1}).*/\1/g

 

Added SEDCMD class to remove unwanted characters at end of the line.

you need to deal with pre-text which is in first event.

 json-parser-1.png

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎09-12-2020 11:16 PM

@gcusello 

please have a look at below 

 

[ __auto__learned__ ]
SHOULD_LINEMERGE=true
LINE_BREAKER=(\{\"eventDetails\"\:)
NO_BINARY_CHECK=true
SEDCMD-tailchars=s/(.*\"\}{1}).*/\1/g

 

Added SEDCMD class to remove unwanted characters at end of the line.

you need to deal with pre-text which is in first event.

 json-parser-1.png

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

uwehermann
Engager
‎09-11-2020 06:23 AM

Well, depending on the formatting of the json log files, you at least need the following in props.conf:

SHOULD_LINEMERGE = false

If the data is not prettyprinted, the following should help:

LINE_BREAKER= \}(,)\{

If the data is prettyprinted, the following may be used to allow for whitespaces between the comma and the curly brace:

LINE_BREAKER = \}(,\s*)\{

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎09-11-2020 04:45 AM

would there be any option to split them before indexing to Splunk? instead of depending on props.conf , is it possible to make changes in modular inputs if you are using one?

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-11-2020 05:53 AM

Hi @thambisetty,

I'd like to avoid to pre-elaborate the source with a script before indexing!

I'd like to find a way to split events in Splunk.

Have you another idea?

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...