Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to break the JSON data?

vrmandadi
Builder
‎02-20-2016 12:20 PM

Hello Experts,

Attached is the sample JSON file which I am trying to upload to Splunk.I have uploaded it by Splunk WEB and it broke the events successfully but when I am trying to upload via CLI it is taking all 8 events into a single event.Can you please help how to break those events(8).

Tags (4)
dcd-sample-data-for-splunk-dashboard.txt
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎02-21-2016 02:33 AM

When you upload the data via the UI, Splunk detects the source file format and assigns a sourcetype that makes sense. In this case, probably _json
If you want to achieve the same result via the command line, you need to configure and specify a sourcetype with the proper settings for your json data. When you are using the command line, you have to replace some of the smarts of the UI with manual actions.
I'd recommend reading (at least) this chapter of the Getting Data In manual to understand how Splunk processes data.

You can also go through the UI once, then save the sourcetype settings under a new name you chose, and then use that sourcetype on subsequent CLI uploads.

0 Karma
Reply

vrmandadi
Builder
‎02-21-2016 06:27 PM

I tried using the same UI sourcetype with CLI ,but it did not work,If you could help me with the sourcetype for CLI that would be great

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...