Splunk Search
Highlighted

How to Break Json output script in multiple events

Path Finder

Greetings.

I'm trying for several days to break a json array into multiple events.
This Json is the output of a python script that exports data from an Excel spreadsheet.
I've seen several answers here from the forum, but I still can not solve the problem.
At the moment I'm using a sourcetype identical to _json. Here is an example of the structure of my .json file.

Can someone help me?

[
  {
    "planilha": "Controles",
    "timestamp": 1493758631,
    "projeto_categoria": "fid pré-venda",
    "projeto_status": "encerrado",
    "projeto_report": "FeedBack sadfpasodjf asd´pfoajs d´fasdf",
    "projeto_codigo": "99.999.99",
    "projeto_nome": "Projeto Teste BBASDAS - ASDASD",
    "produto_nome_fabricante": "Fabricante asdfasdf a",
    "produto_nome": "Produto qeq weq we",
    "gn_nome": "Gerente Negócio Teste",
    "gp_nome": "Nenhum",
    "cliente_nome": "Cliente Teste",
    "horas_junior_estimado": "",
    "horas_pleno_estimado": "",
    "horas_senior_estimado": "",
    "horas_gp_estimado": "",
    "horas_total_estimado": 0,
    "horas_junior_realizado": 0,
    "horas_pleno_realizado": 48,
    "horas_senior_realizado": 441,
    "horas_gp_realizado": 58,
    "horas_total_realizado": 547,
    "custo_total_realizado": "50364.10",
    "doc_plano_projeto": "Nenhum",
    "doc_cronograma": "Nenhum",
    "doc_diario_bordo": "Nenhum",
    "doc_documentacao_tecnica": "Nenhum",
    "doc_termo_encerramento": "Nenhum"
  },
  {
    "planilha": "Controles",
    "timestamp": 1493758631,
    "projeto_categoria": "fid pré-venda",
    "projeto_status": "encerrado",
    "projeto_report": "FeedBack sadfpasodjf asd´pfoajs d´fasdf",
    "projeto_codigo": "99.999.99",
    "projeto_nome": "Projeto Teste BBASDAS - ASDASD",
    "produto_nome_fabricante": "Fabricante asdfasdf a",
    "produto_nome": "Produto qeq weq we",
    "gn_nome": "Gerente Negócio Teste",
    "gp_nome": "Nenhum",
    "cliente_nome": "Cliente Teste",
    "horas_junior_estimado": "",
    "horas_pleno_estimado": "",
    "horas_senior_estimado": "",
    "horas_gp_estimado": "",
    "horas_total_estimado": 0,
    "horas_junior_realizado": 0,
    "horas_pleno_realizado": 48,
    "horas_senior_realizado": 441,
    "horas_gp_realizado": 58,
    "horas_total_realizado": 547,
    "custo_total_realizado": "50364.10",
    "doc_plano_projeto": "Nenhum",
    "doc_cronograma": "Nenhum",
    "doc_diario_bordo": "Nenhum",
    "doc_documentacao_tecnica": "Nenhum",
    "doc_termo_encerramento": "Nenhum"
  }
]![alt text][1]
0 Karma
Highlighted

Re: How to Break Json output script in multiple events

Communicator

Hi There,

How large is the JSON in question? If you're saying that it is not separating the data out into the relevant fields it may be because the data is being truncated and the endpoint is not being found, have you set TRUNCATE=0 in the sourcetype?

Also try changing the CHARSET option in the sourcetype to JAVA, or failing that trying other options in the list as that was an issue we had with one of our JSON inputs

Highlighted

Re: How to Break Json output script in multiple events

Path Finder

Greetings paulbannister.

Sorry for the delay in answering, I was out of service because of the birth of my son. This JSON is sparse due to some tests it was performing, but the actual format of it is minified. I made the changes you indicated to me. The fields have been recognized, but the problem is that only one event is recognized.

Do you have any suggestion?

0 Karma
Highlighted

Re: How to Break Json output script in multiple events

Path Finder

| extract pairdelim=",", kvdelim='":"'| extract pairdelim=",", kvdelim='"\s+:\s+"'

View solution in original post

Highlighted

Re: How to Break Json output script in multiple events

Path Finder

Thanks SplunkersRock!

0 Karma