Solved: jsonlinebreaker processing a valid json file

kulrajatwal · ‎11-11-2021

I am forwarding some json files from a splunk forwarder on linux, example file below:

{
"dateTime" : "04/11/2021 08:22:30",
"functionName" : "ZAUTOPSRALL",
"userId" : "sanchez",
"issueCategory" : "PSR",
"issueType" : "HDRUNKNOWN",
"issueSummary" : "PSR File Processing â\u0080\u0093 Cannot match to original file",
"issueDescription" : "The received PSR file "PSR_CBD174.PAIN001_DTLRJCT3.xml" refers to an unknown original file.\n\nPSR file\nName: PSR_CBD174.PAIN001_DTLRJCT3.xml\nCreated: 2021-10-08T12:09:43+01:00\nMessage ID: LBG/0000000027834/003\n\nReference to original file\nMessage ID: MSGID/PAIN001/20210913T100930/1\nStatus: RJCT\nControl sum: 38965.82\nNumber of transactions: 86",
"exceptionType" : null,
"notificationId" : null,
"timeStamp" : 1636014150661056
}

Its not being indexed, i found the following errors for this fle in the splunkd.log

I ran the json through a json checker and it was valid so not sure why splunk is complaining. Any help would be much apreciated.

11-05-2021 15:48:57.625 +0000 ERROR JsonLineBreaker [10224113 structuredparsing] - JSON StreamId:14224088848725967690 had parsing error:Unexpected character while parsing backslash escape: 'x' - data_source="/sanchez/instances/beta/log/splunk/splunk_1636014150661056_19399032.json", data_host="pbasalsldw002", data_sourcetype="_json"

11-05-2021 15:48:57.625 +0000 ERROR JsonLineBreaker [10224113 structuredparsing] - JSON StreamId:14224088848725967690 had parsing error:Unexpected character: ':' - data_source="/sanchez/instances/beta/log/splunk/splunk_1636014150661056_19399032.json", data_host="pbasalsldw002", data_sourcetype="_json"

11-05-2021 15:48:57.625 +0000 ERROR JsonLineBreaker [10224113 structuredparsing] - JSON StreamId:14224088848725967690 had parsing error:Unexpected character in string: '\0A' - data_source="/sanchez/instances/beta/log/splunk/splunk_1636014150661056_19399032.json", data_host="pbasalsldw002", data_sourcetype="_json"

kulrajatwal · ‎11-15-2021

I found by running json through

cat <json file> | od -A n -t x1

I could see all the hex chars relating to the splunk errors and fix the json to a format splunk accepts

View solution in original post

kulrajatwal · ‎11-15-2021

I found by running json through

cat <json file> | od -A n -t x1

I could see all the hex chars relating to the splunk errors and fix the json to a format splunk accepts

WonjinKim · ‎10-23-2024

Hi @kulrajatwal

How to check in hex chars?

I have the same issues in my splunk, So I got the raw data file and process your command to it.

But I don't know how to check the invalid chars in my raw data.

Could you explain in detail? What is the splunk's accepted format? and how to fix in my json?

jsonlinebreaker processing a valid json file

JSON

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation