Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- index unstructured JSON file
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index unstructured JSON file
i have this following content in my JSON file need to break the event with stats
Please Help construct props.conf
{
"type": "AAA",
"name": "AAA AAA",
"path": "",
"pathFormatted": "AAA-AAA-AAA",
"stats": {
"name": "Global AAA",
"numberOfRequests": {
"total": 175,
"ok": 167,
"ko": 8
},
"minResponseTime": {
"total": 147,
"ok": 147,
"ko": 179
},
"maxResponseTime": {
"total": 60006,
"ok": 21336,
"ko": 60006
},
"meanResponseTime": {
"total": 1869,
"ok": 1570,
"ko": 8118
},
"standardDeviation": {
"total": 5150,
"ok": 2719,
"ko": 19619
},
"percentiles1": {
"total": 1948,
"ok": 1958,
"ko": 1566
},
"percentiles2": {
"total": 2339,
"ok": 2336,
"ko": 19133
},
"percentiles3": {
"total": 4868,
"ok": 4800,
"ko": 39569
},
"percentiles4": {
"total": 19735,
"ok": 15398,
"ko": 55919
},
"group1": {
"name": "t < 5000 ms",
"count": 161,
"percentage": 92
},
"group2": {
"name": "5000 ms < t < 7500 ms",
"count": 1,
"percentage": 1
},
"group3": {
"name": "t > 7500 ms",
"count": 5,
"percentage": 3
},
"group4": {
"name": "failed",
"count": 8,
"percentage": 5
},
"meanNumberOfRequestsPerSecond": {
"total": 0.12455516014234876,
"ok": 0.11886120996441281,
"ko": 0.0056939501779359435
}
},
"contents": {
"AAA-AAA": {
"type": "AAA",
"name": "AAA",
"path": "AAA",
"pathFormatted": "AAA-0f98b",
"stats": {
"name": "AAA",
"numberOfRequests": {
"total": 5,
"ok": 5,
"ko": 0
},
"minResponseTime": {
"total": 4759,
"ok": 4759,
"ko": 0
},
"maxResponseTime": {
"total": 5361,
"ok": 5361,
"ko": 0
},
"meanResponseTime": {
"total": 4984,
"ok": 4984,
"ko": 0
},
"standardDeviation": {
"total": 210,
"ok": 210,
"ko": 0
},
"percentiles1": {
"total": 4997,
"ok": 4997,
"ko": 0
},
"percentiles2": {
"total": 5215,
"ok": 5215,
"ko": 0
},
"percentiles3": {
"total": 5288,
"ok": 5288,
"ko": 0
},
"percentiles4": {
"total": 5346,
"ok": 5346,
"ko": 0
},
"group1": {
"name": "t < 5000 ms",
"count": 4,
"percentage": 80
},
"group2": {
"name": "5000 ms < t < 7500 ms",
"count": 1,
"percentage": 20
},
"group3": {
"name": "t > 7500 ms",
"count": 0,
"percentage": 0
},
"group4": {
"name": "failed",
"count": 0,
"percentage": 0
},
"meanNumberOfRequestsPerSecond": {
"total": 0.0035587188612099642,
"ok": 0.0035587188612099642,
"ko": 0
}
}
}
}
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi sivaranjiniG,
You can try this one
inputs.conf
[monitor:///var/log/json.log]
sourcetype = myjson
props.conf
[myjson]
REPORT-json = report-json,report-json-kv
Transforms.conf
[report-json]
# This will get the json payload from the logs.
# Put your specific logic if you need. Below is a very basic logic baed on { bracket
REGEX = (?P{.+)
# Manually extract JSON key-value
[report-json-kv]
REGEX = \"(\w+)\":[\s]*\"([^\,}\"]+)
FORMAT = $1::$2
MV_ADD = true
Original Source : https://answers.splunk.com/answers/117121/extract-json-data-within-the-logs-json-mixed-with.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to break events before stats then try in props.conf-
[sourcetypename]
BREAK_ONLY_BEFORE = stats
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
What Is Splunk? Here’s What You Can Do with Splunk
Level Up Your .conf25: Splunk Arcade Comes to Boston
