Solved: How can I split JSON into multiple events?

0xlc · ‎12-07-2018

Hi,

can anyone help me a bit? i am trying to split an event in more lines or more events, every events got multiple lines starting with the below

{"class":

what i want is to parse every line as separated event

i tried with line breaker and event breaker, but i am not really god at regex

props.conf

[source:/opt/api/shared/log/sidekiq.log]
EVENT_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false

also i got this error message in splunkd.log

AggregatorMiningProcessor - Changing breaking behavior for event stream because MAX_EVENTS (256) was exceeded without a single event break. Will set BREAK_ONLY_BEFORE_DATE to False, and unset any MUST_NOT_BREAK_BEFORE or MUST_NOT_BREAK_AFTER rules. Typically this will amount to treating this data as single-line only. - data_source="/log/sidekiq.log", data_host="blabla", data_sourcetype="ruby_on_rails"

Thanks!

whrg · ‎12-07-2018

Hi! I think you are missing a colon in the first line. Try

[source::/opt/api/shared/log/sidekiq.log]

instead of

[source:/opt/api/shared/log/sidekiq.log]

View solution in original post

whrg · ‎12-07-2018

Hi! I think you are missing a colon in the first line. Try

[source::/opt/api/shared/log/sidekiq.log]

instead of

[source:/opt/api/shared/log/sidekiq.log]

0xlc · ‎12-07-2018

well that did the trick! Thanks

now i need to parse the nested list inside the same line.

i'll have a look around here propably there is already the answer

i am trying with spath but is not working

i got something like:

{"class":"EventsWorker","args":["{\"id\"=187918,....]

i can't extract args, i tried:

mysearch | spath path=args{} output=args

How can I split JSON into multiple events?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!