Solved: Re: how to forward JSON data to splunk Properly

kirrusk · ‎11-25-2020

I have a json file like below, i need to broke it up in to events

{"env":"UAT","label":"jenkins-17887.api.v2.dm.btc","App":"dm-d-services","rlmtemplate":"f2_api_fed","lastupdate":2020-11-23 11:09:78:455,"region":"APAC"},{"env":"UAT","label":"jenkins-17687.api.v2.dm.btc","App":"dt-s-services","rlmtemplate":"f3_api_fed","lastupdate":2020-11-23 11:025:79:475,"region":"APAC"},{"env":"UAT","label":"jenkins-18657.api.v2.dm.btc","App":"dt-s-services","rlmtemplate":"f3_api_fed","lastupdate":2020-11-23 11:025:79:475,"region":"APAC"},{"env":"UAT","label":"jenkins-17637.api.v2.dm.btc","App":"dt-s-services","rlmtemplate":"f3_api_fed","lastupdate":2020-11-23 11:025:79:475,"region":"APAC"}

I'm trying to forward it to splunk

modified props.conf file like below

[test_json]

INDEXED_EXTRACTIONS = JSON

LINEBREAKER = }(,){"env":

SHOULD_LINEMERGE = false

NO_BINARY_CHECK = true

TRUNCATE = 0

TZ = Asia/Singapore

But only getting first line of json as event , remaining data is not coming to splunk.

==Firstline ==

"env":"UAT","label":"jenkins-17887.api.v2.dm.btc","App":"dm-d-services","rlmtemplate":"f2_api_fed","lastupdate":2020-11-23 11:09:78:455,"region":"APAC"

Can any one suggest what's going wrong.

kirrusk · ‎11-25-2020

Thank you all, it's working for me after removing comma's using sed command.

View solution in original post

kirrusk · ‎11-25-2020

Thank you all, it's working for me after removing comma's using sed command.

burwell · ‎11-25-2020

Hi. What simplified things for me was to ask the people creating logs not to have the trailing comma. So the logs look like this

{"timestamp": "2020-11-25 08:59:24 UTC", "hostname": "foo.com", "status": "failed"}
{"timestamp": "2020-11-25 08:59:29 UTC", "hostname": "bar.com", "status": "passed"}

Props are

[my_sourcetype]
INDEXED_EXTRACTIONS = JSON
KV_MODE = none
SHOULD_LINEMERGE=false
TIME_PREFIX = timestamp\":\s*\"
TIME_FORMAT=%Y-%m-%d %H:%M:%S %Z
MAX_TIMESTAMP_LOOKAHEAD=23
TRUNCATE=99999

richgalloway · ‎11-25-2020

"LINEBREAKER" should be "LINE_BREAKER". The props must be installed on the first heavy forwarder or indexer the events pass through. Don't forget to restart Splunk after modifying props.conf.

---
If this reply helps you, Karma would be appreciated.

kirrusk · ‎11-25-2020

@richgalloway I have used LINE_BREAKER , and props is installed on indexer. Still not working.

to4kawa · ‎11-25-2020

[test_json]
DATETIME_CONFIG = 
KV_MODE = json
LINE_BREAKER = (,){
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %F %H:%M
TIME_PREFIX = lastupdate\":

indexed_extractions can't work.

kirrusk · ‎11-25-2020

@to4kawa Modified props but it's giving single event without breaking json

how to forward JSON data to splunk Properly

field extraction

heavy forwarder

index

indexer

inputs.conf

JSON

props.conf

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

how to forward JSON data to splunk Properly

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.