Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

linebreaker for json sourcetype

martinnepolean
Explorer
‎01-14-2020 02:32 AM

I am trying to break the below json data into each event

{"audit_logs": [{"url": "https://Company.udesk.com/api/v2/audit_logs/3650750.json", "id": 3650750, "actor_id": 27401, "source_id": 36012509503, "source_type": "view", "source_label": "View: Copy of ALL CX BC", "action": "create", "change_description": "", "ip_address": "116.10.16.1", "created_at": "2019-12-13T06:04:32Z", "user": "VASU JOGI"}, {"url": "https://Company.udesk.com/api/v2/audit_logs/365073140614.json", "id": 365073140614, "actor_id": 28319638, "source_id": 3600001411, "source_type": "account_setting", "source_label": "Account Assumption", "action": "update", "change_description": "Changed", "ip_address": "160.12.15.26", "created_at": "2019-12-12T22:18:14Z", "user": "Sejal Jack"}]}

from the above log event 1 should be as below and rest of the message should be another event.
{"url": "https://Company.udesk.com/api/v2/audit_logs/3650750.json", "id": 3650750, "actor_id": 27401, "source_id": 36012509503, "source_type": "view", "source_label": "View: Copy of ALL CX BC", "action": "create", "change_description": "", "ip_address": "116.10.16.1", "created_at": "2019-12-13T06:04:32Z", "user": "VASU JOGI"},

Below is my Props.conf which is deployed on UF. Please help to get it working

[_json]
LINE_BREAKER = (,*\s+){"url"
SHOULD_LINEMERGE = false

0 Karma
Reply

sumanssah
Communicator
‎02-29-2020 07:50 PM

try using below-mentioned search for your json index

search
   | rex "(?<json>\{.+)" | spath input=json | fields - json
0 Karma
Reply

to4kawa
Ultra Champion
‎02-29-2020 06:37 PM

props.conf

[audit_json]
SEDCMD-trim = s/^.*\[(.*)\]}/\1/g
LINE_BREAKER = }(,)
KV_MODE = json
SHOULD_LINEMERGE = false
0 Karma
Reply

calcometer
Explorer
‎01-14-2020 05:18 AM

Use the path command mit curl braces.

https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Spath

|spath input=_raw output=events path=audit_logs{}

0 Karma
Reply

martinnepolean
Explorer
‎01-14-2020 07:47 AM

No it is not working? is it possible to do it via props file?

0 Karma
Reply

calcometer
Explorer
‎01-15-2020 01:29 AM

The input of _raw need to be the blank JSON String

0 Karma
Reply

martinnepolean
Explorer
‎01-15-2020 04:40 AM

yes i tried, but no luck? is it not possible to do the parsing via props.conf .I am looking for search time field extraction.

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...