Solved: Re: How to Break Json output script in multiple ev...

markuxProof · ‎05-02-2017

Greetings.

I'm trying for several days to break a json array into multiple events.
This Json is the output of a python script that exports data from an Excel spreadsheet.
I've seen several answers here from the forum, but I still can not solve the problem.
At the moment I'm using a sourcetype identical to _json. Here is an example of the structure of my .json file.

Can someone help me?

[
  {
    "planilha": "Controles",
    "timestamp": 1493758631,
    "projeto_categoria": "fid pré-venda",
    "projeto_status": "encerrado",
    "projeto_report": "FeedBack sadfpasodjf asd´pfoajs d´fasdf",
    "projeto_codigo": "99.999.99",
    "projeto_nome": "Projeto Teste BBASDAS - ASDASD",
    "produto_nome_fabricante": "Fabricante asdfasdf a",
    "produto_nome": "Produto qeq weq we",
    "gn_nome": "Gerente Negócio Teste",
    "gp_nome": "Nenhum",
    "cliente_nome": "Cliente Teste",
    "horas_junior_estimado": "",
    "horas_pleno_estimado": "",
    "horas_senior_estimado": "",
    "horas_gp_estimado": "",
    "horas_total_estimado": 0,
    "horas_junior_realizado": 0,
    "horas_pleno_realizado": 48,
    "horas_senior_realizado": 441,
    "horas_gp_realizado": 58,
    "horas_total_realizado": 547,
    "custo_total_realizado": "50364.10",
    "doc_plano_projeto": "Nenhum",
    "doc_cronograma": "Nenhum",
    "doc_diario_bordo": "Nenhum",
    "doc_documentacao_tecnica": "Nenhum",
    "doc_termo_encerramento": "Nenhum"
  },
  {
    "planilha": "Controles",
    "timestamp": 1493758631,
    "projeto_categoria": "fid pré-venda",
    "projeto_status": "encerrado",
    "projeto_report": "FeedBack sadfpasodjf asd´pfoajs d´fasdf",
    "projeto_codigo": "99.999.99",
    "projeto_nome": "Projeto Teste BBASDAS - ASDASD",
    "produto_nome_fabricante": "Fabricante asdfasdf a",
    "produto_nome": "Produto qeq weq we",
    "gn_nome": "Gerente Negócio Teste",
    "gp_nome": "Nenhum",
    "cliente_nome": "Cliente Teste",
    "horas_junior_estimado": "",
    "horas_pleno_estimado": "",
    "horas_senior_estimado": "",
    "horas_gp_estimado": "",
    "horas_total_estimado": 0,
    "horas_junior_realizado": 0,
    "horas_pleno_realizado": 48,
    "horas_senior_realizado": 441,
    "horas_gp_realizado": 58,
    "horas_total_realizado": 547,
    "custo_total_realizado": "50364.10",
    "doc_plano_projeto": "Nenhum",
    "doc_cronograma": "Nenhum",
    "doc_diario_bordo": "Nenhum",
    "doc_documentacao_tecnica": "Nenhum",
    "doc_termo_encerramento": "Nenhum"
  }
]![alt text][1]

SplunkersRock · ‎05-15-2017

| extract pairdelim=",", kvdelim='":"'| extract pairdelim=",", kvdelim='"\s+:\s+"'

View solution in original post

SplunkersRock · ‎05-15-2017

| extract pairdelim=",", kvdelim='":"'| extract pairdelim=",", kvdelim='"\s+:\s+"'

markuxProof · ‎06-08-2017

Thanks SplunkersRock!

paulbannister · ‎05-03-2017

Hi There,

How large is the JSON in question? If you're saying that it is not separating the data out into the relevant fields it may be because the data is being truncated and the endpoint is not being found, have you set TRUNCATE=0 in the sourcetype?

Also try changing the CHARSET option in the sourcetype to JAVA, or failing that trying other options in the list as that was an issue we had with one of our JSON inputs

markuxProof · ‎05-15-2017

Greetings paulbannister.

Sorry for the delay in answering, I was out of service because of the birth of my son. This JSON is sparse due to some tests it was performing, but the actual format of it is minified. I made the changes you indicated to me. The fields have been recognized, but the problem is that only one event is recognized.

Do you have any suggestion?

How to Break Json output script in multiple events

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk