Getting Data In

how to index a json file ?

abilis
Explorer

HI,

i am trying to index a local json file, but when going trough the sourcetype the predefined json source type is not reading the file properly..splunk put everything in one line...no detecting time format or something (see attached file)

this is an exemple inside the file

{
    "records": 
    [

        {
            "time": "2018-05-11T13:29:03Z",     
             "GatewayId": "4r566-5678-4753-968f-34568",
             "Region": "unknown",
              "operationName": "ApplicationGatewayAccess",
              "category": "ApplicationGatewayAccessLog",
            }
        ,
{
            "time": "2018-05-11T13:29:05Z",         
             "GatewayId": "4r566-ae57-dfg543-968f-xxx45t67",
             "Region": "unknown",
             "operationName": "ApplicationGatewayAccess",
             "category": "ApplicationGatewayAccessLog",
            }

can someone help me to figure this out ?

thanks for your supportalt text

Tags (2)
0 Karma

poete
Builder

Hello. The pb is i the json file. Please remove the last comma of each record, and try again. For instance, based on your example :


{
    "records": [

        {
            "time": "2018-05-11T13:29:03Z",
            "GatewayId": "4r566-5678-4753-968f-34568",
            "Region": "unknown",
            "operationName": "ApplicationGatewayAccess",
            "category": "ApplicationGatewayAccessLog"
        },
        {
            "time": "2018-05-11T13:29:05Z",
            "GatewayId": "4r566-ae57-dfg543-968f-xxx45t67",
            "Region": "unknown",
            "operationName": "ApplicationGatewayAccess",
            "category": "ApplicationGatewayAccessLog"
        }
0 Karma

ansif
Motivator

If the JSON response is from REST API call then I can help you with rest_ta response handler script.

0 Karma

abilis
Explorer

the jason file is stored locally in splunk server to index once

0 Karma

MuS
SplunkTrust
SplunkTrust

If Splunk does not pick up the JSON event straight away, it is most likely not pure JSON.
Put your JSON events into any JSON validator to see if it is pure JSON.

cheers, MuS

0 Karma

abilis
Explorer

i verified, the validator says json is valid, splunk is showing all records in one line with only one timestamp...i am expecting 4 lines

is this a time format error ?

0 Karma

abilis
Explorer

i found that splunk is not indexing separate events because the json file starts with { and ends with } if i removed those character splunk will give me a line per event.

now the question is: how can i remove the { at the beginning and the } at the end with splunk before indexing?

thanks

0 Karma

MuS
SplunkTrust
SplunkTrust

But, looking at the screenshot this looks not too bad. What or where do you think it breaks or behaves badly?

0 Karma

xpac
SplunkTrust
SplunkTrust

I guess he/she wants it to be separate events, but the whole JSON is indexed as a single event. Right?

0 Karma

abilis
Explorer

yes, you are correct...i want separate events since they are at different times

0 Karma

krishnapriya
Observer

Hi Have you found the answers to it. Even I am facing the same problem.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...