Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

break a json log

gcusello
Esteemed Legend
‎09-11-2020 04:00 AM

Hi at all,

I have a json log that in a single json contains many events:

 

{"response":{"caseEvents":[{"eventDetails":{"eventDescription":"SCT","eventId":"TRX8551","eventTime":"2020-06-24T13:21:00.664+00:00","eventType":"PAYMENT"}},{"eventDetails":{"eventDescription":"SCT","eventId":"TRX8552","eventTime":"2020-06-24T13:21:01.664+00:00","eventType":"PAYMENT"}}}]}

 

in the same json I have many eventDetails section (here only two with few fields, but they are many more).

I tried to use:

 

 indexed_extractions=JSON

 

and

 

LINE_BREAKER  = \{\"eventDetails\"

 

but it still remains one.

How can I approach the problem?

Ciao.

Giuseppe

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
Super Champion
‎09-12-2020 11:16 PM

@gcusello 

please have a look at below 

 

[ __auto__learned__ ]
SHOULD_LINEMERGE=true
LINE_BREAKER=(\{\"eventDetails\"\:)
NO_BINARY_CHECK=true
SEDCMD-tailchars=s/(.*\"\}{1}).*/\1/g

 

Added SEDCMD class to remove unwanted characters at end of the line.

you need to deal with pre-text which is in first event.

 json-parser-1.png

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution
Solution

thambisetty
Super Champion
‎09-12-2020 11:16 PM

@gcusello 

please have a look at below 

 

[ __auto__learned__ ]
SHOULD_LINEMERGE=true
LINE_BREAKER=(\{\"eventDetails\"\:)
NO_BINARY_CHECK=true
SEDCMD-tailchars=s/(.*\"\}{1}).*/\1/g

 

Added SEDCMD class to remove unwanted characters at end of the line.

you need to deal with pre-text which is in first event.

 json-parser-1.png

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

uwehermann
Engager
‎09-11-2020 06:23 AM

Well, depending on the formatting of the json log files, you at least need the following in props.conf:

SHOULD_LINEMERGE = false

If the data is not prettyprinted, the following should help:

LINE_BREAKER= \}(,)\{

If the data is prettyprinted, the following may be used to allow for whitespaces between the comma and the curly brace:

LINE_BREAKER = \}(,\s*)\{

0 Karma
Reply
Solved! Jump to solution

thambisetty
Super Champion
‎09-11-2020 04:45 AM

would there be any option to split them before indexing to Splunk? instead of depending on props.conf , is it possible to make changes in modular inputs if you are using one?

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

gcusello
Esteemed Legend
‎09-11-2020 05:53 AM

Hi @thambisetty,

I'd like to avoid to pre-elaborate the source with a script before indexing!

I'd like to find a way to split events in Splunk.

Have you another idea?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...