Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: need help in formatting the data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
need help in formatting the data
Hello All,
i'm trying to format the "json" formatted data with a custom sourcetype. below are my sample events
{"formatVersion":"1.0", "vendor":"BeyondTrust","product":"BeyondInsight","version":"6.3.1","agentid":"PBPS","severity":"0","eventid":"PBPS","eventname":"Requestor","eventdesc":"Request Response Expire","eventdate":"Nov 07 2017 21:31:11","sourcehost":"test-vm-1","sourceip":"127.0.0.1","eventsubject":"0127.0.00.001","eventtype":"0","user":"ssltest", "nvps" : {"clienthost":"test-vm-1", "eventseverity":"0", "logsystemid":"121", "logtime":"11/07/2017 21:31:11", "username":"ssltest", "userid":"2", "roleused":"Requestor", "objecttypeid":"7", "objecttype":"Request Response", "objectid":"14", "operation":"Expire", "failed":"False", "target":"localhost/btuser", "details":"ReleaseRequest #9"}}{"formatVersion":"1.0", "vendor":"BeyondTrust","product":"BeyondInsight","version":"6.3.1","agentid":"PBPS","severity":"0","eventid":"PBPS","eventname":"System","eventdesc":"Release Request Expire","eventdate":"Nov 07 2017 21:31:11","sourcehost":"test-vm-1","sourceip":"127.0.0.1","eventsubject":"0127.0.00.001","eventtype":"0","user":"Internal process","workgroupid":"1","workgroupdesc":"BeyondTrust Workgroup", "nvps" : {"clienthost":"test-vm-1", "eventseverity":"0", "logsystemid":"122", "logtime":"11/07/2017 21:31:11", "username":"Internal process", "userid":"0", "roleused":"System", "objecttypeid":"6", "objecttype":"Release Request", "objectid":"9", "operation":"Expire", "failed":"False", "target":"ManagedSystem=localhost ManagedAccount=btuser", "details":"ReleaseRequest #9, Ticket #, TicketSystem="}}
and props.conf is
"TIME_PREFIX=\"eventdate\":\"
TIME_FORMAT= %b %d %Y %H:%M:%S
LINE_BREAKER=([\r\n]+)\s*{"formatVersion
SHOULD_LINEMERGE=false
ANNOTATE_PUNCT=false
TRUNCATE = 0
KV_MODE=json
AUTO_KV_JSON=true"
i facing issue at line breaker can any one help me?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where are your lines breaking now? Just every line? Regardless, a few thoughts...
First, is the quote (") in front of your TIME_PREFIX a typo? if not, you probably want to get rid of that.
Second, have you tried escaping the curly brace in your line breaker? I don't think it should need escaped, but might be worth trying.
Third, do you have these settings on your indexer? If not, where are they and where are you ingesting the data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use props and transforms to extract key values pairs for json events.
Include this line for the sourcetype in question in the props.conf
[sourcetype]
TIME_PREFIX=\"eventdate\":\"
TIME_FORMAT= %b %d %Y %H:%M:%S
LINE_BREAKER=([\r\n]+)\s*{"formatVersion
SHOULD_LINEMERGE=false
ANNOTATE_PUNCT=false
TRUNCATE = 0
REPORT-json_extraction = json_trans
and in the respective transforms.conf:
[json_trans]
REGEX = \"([^\":]+)\":\"([^\"\{]+)\"\s*,*\}*
FORMAT = $1::$2
Sometimes, directly using regex works better than auto_kv or kv_mode or spath.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i tried it but still same issue.
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
Feel the Splunk Love: Real Stories from Real Customers
Data Management Digest – November 2025
