- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- jsonlinebreaker processing a valid json file
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am forwarding some json files from a splunk forwarder on linux, example file below:
{
"dateTime" : "04/11/2021 08:22:30",
"functionName" : "ZAUTOPSRALL",
"userId" : "sanchez",
"issueCategory" : "PSR",
"issueType" : "HDRUNKNOWN",
"issueSummary" : "PSR File Processing â\u0080\u0093 Cannot match to original file",
"issueDescription" : "The received PSR file "PSR_CBD174.PAIN001_DTLRJCT3.xml" refers to an unknown original file.\n\nPSR file\nName: PSR_CBD174.PAIN001_DTLRJCT3.xml\nCreated: 2021-10-08T12:09:43+01:00\nMessage ID: LBG/0000000027834/003\n\nReference to original file\nMessage ID: MSGID/PAIN001/20210913T100930/1\nStatus: RJCT\nControl sum: 38965.82\nNumber of transactions: 86",
"exceptionType" : null,
"notificationId" : null,
"timeStamp" : 1636014150661056
}
Its not being indexed, i found the following errors for this fle in the splunkd.log
I ran the json through a json checker and it was valid so not sure why splunk is complaining. Any help would be much apreciated.
11-05-2021 15:48:57.625 +0000 ERROR JsonLineBreaker [10224113 structuredparsing] - JSON StreamId:14224088848725967690 had parsing error:Unexpected character while parsing backslash escape: 'x' - data_source="/sanchez/instances/beta/log/splunk/splunk_1636014150661056_19399032.json", data_host="pbasalsldw002", data_sourcetype="_json"
11-05-2021 15:48:57.625 +0000 ERROR JsonLineBreaker [10224113 structuredparsing] - JSON StreamId:14224088848725967690 had parsing error:Unexpected character: ':' - data_source="/sanchez/instances/beta/log/splunk/splunk_1636014150661056_19399032.json", data_host="pbasalsldw002", data_sourcetype="_json"
11-05-2021 15:48:57.625 +0000 ERROR JsonLineBreaker [10224113 structuredparsing] - JSON StreamId:14224088848725967690 had parsing error:Unexpected character: ':' - data_source="/sanchez/instances/beta/log/splunk/splunk_1636014150661056_19399032.json", data_host="pbasalsldw002", data_sourcetype="_json"
11-05-2021 15:48:57.625 +0000 ERROR JsonLineBreaker [10224113 structuredparsing] - JSON StreamId:14224088848725967690 had parsing error:Unexpected character: ':' - data_source="/sanchez/instances/beta/log/splunk/splunk_1636014150661056_19399032.json", data_host="pbasalsldw002", data_sourcetype="_json"
11-05-2021 15:48:57.625 +0000 ERROR JsonLineBreaker [10224113 structuredparsing] - JSON StreamId:14224088848725967690 had parsing error:Unexpected character in string: '\0A' - data_source="/sanchez/instances/beta/log/splunk/splunk_1636014150661056_19399032.json", data_host="pbasalsldw002", data_sourcetype="_json"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found by running json through
cat <json file> | od -A n -t x1
I could see all the hex chars relating to the splunk errors and fix the json to a format splunk accepts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found by running json through
cat <json file> | od -A n -t x1
I could see all the hex chars relating to the splunk errors and fix the json to a format splunk accepts
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
