Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

how to break the JSON data?

vrmandadi
Builder
‎02-20-2016 12:20 PM

Hello Experts,

Attached is the sample JSON file which I am trying to upload to Splunk.I have uploaded it by Splunk WEB and it broke the events successfully but when I am trying to upload via CLI it is taking all 8 events into a single event.Can you please help how to break those events(8).

Tags (4)
dcd-sample-data-for-splunk-dashboard.txt
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎02-21-2016 02:33 AM

When you upload the data via the UI, Splunk detects the source file format and assigns a sourcetype that makes sense. In this case, probably _json
If you want to achieve the same result via the command line, you need to configure and specify a sourcetype with the proper settings for your json data. When you are using the command line, you have to replace some of the smarts of the UI with manual actions.
I'd recommend reading (at least) this chapter of the Getting Data In manual to understand how Splunk processes data.

You can also go through the UI once, then save the sourcetype settings under a new name you chose, and then use that sourcetype on subsequent CLI uploads.

0 Karma
Reply

vrmandadi
Builder
‎02-21-2016 06:27 PM

I tried using the same UI sourcetype with CLI ,but it did not work,If you could help me with the sourcetype for CLI that would be great

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...