Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to break the JSON data?

vrmandadi
Builder
‎02-20-2016 12:20 PM

Hello Experts,

Attached is the sample JSON file which I am trying to upload to Splunk.I have uploaded it by Splunk WEB and it broke the events successfully but when I am trying to upload via CLI it is taking all 8 events into a single event.Can you please help how to break those events(8).

Tags (4)
dcd-sample-data-for-splunk-dashboard.txt
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎02-21-2016 02:33 AM

When you upload the data via the UI, Splunk detects the source file format and assigns a sourcetype that makes sense. In this case, probably _json
If you want to achieve the same result via the command line, you need to configure and specify a sourcetype with the proper settings for your json data. When you are using the command line, you have to replace some of the smarts of the UI with manual actions.
I'd recommend reading (at least) this chapter of the Getting Data In manual to understand how Splunk processes data.

You can also go through the UI once, then save the sourcetype settings under a new name you chose, and then use that sourcetype on subsequent CLI uploads.

0 Karma
Reply

vrmandadi
Builder
‎02-21-2016 06:27 PM

I tried using the same UI sourcetype with CLI ,but it did not work,If you could help me with the sourcetype for CLI that would be great

0 Karma
Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...