Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to break the JSON data?

vrmandadi
Builder
‎02-20-2016 12:20 PM

Hello Experts,

Attached is the sample JSON file which I am trying to upload to Splunk.I have uploaded it by Splunk WEB and it broke the events successfully but when I am trying to upload via CLI it is taking all 8 events into a single event.Can you please help how to break those events(8).

Tags (4)
Preview file
58 KB
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎02-21-2016 02:33 AM

When you upload the data via the UI, Splunk detects the source file format and assigns a sourcetype that makes sense. In this case, probably _json
If you want to achieve the same result via the command line, you need to configure and specify a sourcetype with the proper settings for your json data. When you are using the command line, you have to replace some of the smarts of the UI with manual actions.
I'd recommend reading (at least) this chapter of the Getting Data In manual to understand how Splunk processes data.

You can also go through the UI once, then save the sourcetype settings under a new name you chose, and then use that sourcetype on subsequent CLI uploads.

0 Karma
Reply

vrmandadi
Builder
‎02-21-2016 06:27 PM

I tried using the same UI sourcetype with CLI ,but it did not work,If you could help me with the sourcetype for CLI that would be great

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...