Solved: Re: how to parse json to extract multiple line eve...

sfatnass · ‎09-08-2016

i have one file json that contain many object like that :

{
    "id": 1,
    "name": "toto",
    "price": 1.50,
    "tags": ["travel", "red"] } 
{
        "id": 2,
        "name": "toto",
        "price": 12,
        "tags": ["home", "green"] }

i need to extract that on two event for the example : how can i use line_breaker on props.conf

thx

jkat54 · ‎09-08-2016

This method will index each field name in the json payload:

[ <SOURCETYPE NAME> ]  
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
CHARSET=AUTO
INDEXED_EXTRACTIONS=json
KV_MODE=none
disabled=false
pulldown_type=true

This would not and would come at a lower performance cost:

[ <SOURCETYPE NAME> ]
CHARSET=AUTO
SHOULD_LINEMERGE=false
disabled=false
LINE_BREAKER=(^){.*"id":

View solution in original post

jkat54 · ‎09-08-2016

This method will index each field name in the json payload:

[ <SOURCETYPE NAME> ]  
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
CHARSET=AUTO
INDEXED_EXTRACTIONS=json
KV_MODE=none
disabled=false
pulldown_type=true

This would not and would come at a lower performance cost:

[ <SOURCETYPE NAME> ]
CHARSET=AUTO
SHOULD_LINEMERGE=false
disabled=false
LINE_BREAKER=(^){.*"id":

sfatnass · ‎09-08-2016

this is my current configuraiton in the props.conf
[json]

[source::.../mysource...]
sourcetype = json
SHOULD_LINEMERGE = false
TRUNCATE=0
NO_BINARY_CHECK = 1
LINE_BREAKER = ([\r\n]+){

then i need to have something like that :

[json]

[source::.../mysource...]
 SHOULD_LINEMERGE=true
 NO_BINARY_CHECK=true
 CHARSET=AUTO
 INDEXED_EXTRACTIONS=json
 KV_MODE=json
 disabled=false
 pulldown_type=true

it's ok like that, it work very well and the performence is great thx

jkat54 · ‎09-08-2016

Do you want the fields extracted at index time or search time?

Both examples I gave you worked with your example data so either you didn't reindex the data, didn't put the props in the correct place, or maybe the example data you provided isn't exactly like the data you're ingesting.

jkat54 · ‎09-08-2016

The settings you used would index the fields and would need to be placed on the universal forwarder and indexers. It wouldn't apply to data already ingested either.

sfatnass · ‎09-08-2016

just to extract json for many event like your exemple and extract all field too, because i will use some request and i need to know who the field contain the correct value ^^
but it's ok and thx for your reply

jkat54 · ‎09-08-2016

great, just so you know the INDEXED_EXTRACTIONS will consume more disk space and does require more CPU on the indexers/forwarders

sfatnass · ‎09-08-2016

ok but it's more performent no? the objectif of my project is to play more speed ^^

jkat54 · ‎09-08-2016

It can be faster when you're searching for the fields involved yes.

how to parse json to extract multiple line event ?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk