- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- linebreaker for json sourcetype
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
linebreaker for json sourcetype
I am trying to break the below json data into each event
{"audit_logs": [{"url": "https://Company.udesk.com/api/v2/audit_logs/3650750.json", "id": 3650750, "actor_id": 27401, "source_id": 36012509503, "source_type": "view", "source_label": "View: Copy of ALL CX BC", "action": "create", "change_description": "", "ip_address": "116.10.16.1", "created_at": "2019-12-13T06:04:32Z", "user": "VASU JOGI"}, {"url": "https://Company.udesk.com/api/v2/audit_logs/365073140614.json", "id": 365073140614, "actor_id": 28319638, "source_id": 3600001411, "source_type": "account_setting", "source_label": "Account Assumption", "action": "update", "change_description": "Changed", "ip_address": "160.12.15.26", "created_at": "2019-12-12T22:18:14Z", "user": "Sejal Jack"}]}
from the above log event 1 should be as below and rest of the message should be another event.
{"url": "https://Company.udesk.com/api/v2/audit_logs/3650750.json", "id": 3650750, "actor_id": 27401, "source_id": 36012509503, "source_type": "view", "source_label": "View: Copy of ALL CX BC", "action": "create", "change_description": "", "ip_address": "116.10.16.1", "created_at": "2019-12-13T06:04:32Z", "user": "VASU JOGI"},
Below is my Props.conf which is deployed on UF. Please help to get it working
[_json]
LINE_BREAKER = (,*\s+){"url"
SHOULD_LINEMERGE = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try using below-mentioned search for your json index
search
| rex "(?<json>\{.+)" | spath input=json | fields - json
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
props.conf
[audit_json]
SEDCMD-trim = s/^.*\[(.*)\]}/\1/g
LINE_BREAKER = }(,)
KV_MODE = json
SHOULD_LINEMERGE = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use the path command mit curl braces.
https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Spath
|spath input=_raw output=events path=audit_logs{}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No it is not working? is it possible to do it via props file?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The input of _raw need to be the blank JSON String
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes i tried, but no luck? is it not possible to do the parsing via props.conf .I am looking for search time field extraction.
Technical Workshop Series: Splunk Data Management and SPL2 | Register here!
Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk
Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability
