Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to split JSON array into Multiple events at In...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
04-03-2019
03:48 PM
I have an event :
{
"local": [
{
"display_name": "juniper0",
"tenant": null,
"created": "2019-03-29",
"local_context_data": {
"ntp": {
"peers": [
"192.168.10.15",
"192.168.10.16"
]
}
},
"serial": "124334",
"asset_tag": null,
"site": {
"id": 1,
"name": "TestSite",
"slug": "testsite"
},
"virtual_chassis": null,
"primary_ip4": {
"id": 7,
"address": "192.37.28.78/24",
"family": 4
},
"cluster": null,
"tags": [],
"last_updated": "2019-04-01T09:41:41.633296Z",
"vc_position": null,
"primary_ip": {
"id": 7,
"address": "192.37.28.78/24",
"family": 4
},
"device_type": {
"id": 1,
"display_name": "Juniper test",
"manufacturer": {
"id": 5,
"name": "Juniper",
"slug": "juniper"
},
"slug": "test",
"model": "test"
},
"primary_ip6": null,
"parent_device": null,
"face": null,
"device_role": {
"id": 3,
"name": "Switch",
"slug": "switch"
},
"comments": "",
"platform": null,
"name": "juniper0",
"id": 8,
"status": {
"value": 1,
"label": "Active"
},
"position": null,
"custom_fields": {},
"rack": null,
"vc_priority": null
},
{
"display_name": "juniper1",
"tenant": null,
"created": "2019-04-02",
"local_context_data": null,
"serial": "",
"asset_tag": null,
"site": {
"id": 1,
"name": "TestSite",
"slug": "testsite"
},
"virtual_chassis": null,
"primary_ip4": null,
"cluster": null,
"tags": [],
"last_updated": "2019-04-02T18:08:16.222025Z",
"vc_position": null,
"primary_ip": null,
"device_type": {
"id": 1,
"display_name": "Juniper test",
"manufacturer": {
"id": 5,
"name": "Juniper",
"slug": "juniper"
},
"slug": "test",
"model": "test"
},
"primary_ip6": null,
"parent_device": null,
"face": null,
"device_role": {
"id": 6,
"name": "Firewall",
"slug": "firewall"
},
"comments": "",
"platform": null,
"name": "juniper1",
"id": 9,
"status": {
"value": 1,
"label": "Active"
},
"position": null,
"custom_fields": {},
"rack": null,
"vc_priority": null
}
]
}
I want this event to be split into 2 events such as :
1st Event
{
"display_name": "juniper0",
"tenant": null,
"created": "2019-03-29",
"local_context_data": {
"ntp": {
"peers": [
"192.168.10.15",
"192.168.10.16"
]
}
},
"serial": "124334",
"asset_tag": null,
"site": {
"id": 1,
"name": "TestSite",
"slug": "testsite"
},
"virtual_chassis": null,
"primary_ip4": {
"id": 7,
"address": "192.37.28.78/24",
"family": 4
},
"cluster": null,
"tags": [],
"last_updated": "2019-04-01T09:41:41.633296Z",
"vc_position": null,
"primary_ip": {
"id": 7,
"address": "192.37.28.78/24",
"family": 4
},
"device_type": {
"id": 1,
"display_name": "Juniper test",
"manufacturer": {
"id": 5,
"name": "Juniper",
"slug": "juniper"
},
"slug": "test",
"model": "test"
},
"primary_ip6": null,
"parent_device": null,
"face": null,
"device_role": {
"id": 3,
"name": "Switch",
"slug": "switch"
},
"comments": "",
"platform": null,
"name": "juniper0",
"id": 8,
"status": {
"value": 1,
"label": "Active"
},
"position": null,
"custom_fields": {},
"rack": null,
"vc_priority": null
}
2nd Event
{
"display_name": "juniper1",
"tenant": null,
"created": "2019-04-02",
"local_context_data": null,
"serial": "",
"asset_tag": null,
"site": {
"id": 1,
"name": "TestSite",
"slug": "testsite"
},
"virtual_chassis": null,
"primary_ip4": null,
"cluster": null,
"tags": [],
"last_updated": "2019-04-02T18:08:16.222025Z",
"vc_position": null,
"primary_ip": null,
"device_type": {
"id": 1,
"display_name": "Juniper test",
"manufacturer": {
"id": 5,
"name": "Juniper",
"slug": "juniper"
},
"slug": "test",
"model": "test"
},
"primary_ip6": null,
"parent_device": null,
"face": null,
"device_role": {
"id": 6,
"name": "Firewall",
"slug": "firewall"
},
"comments": "",
"platform": null,
"name": "juniper1",
"id": 9,
"status": {
"value": 1,
"label": "Active"
},
"position": null,
"custom_fields": {},
"rack": null,
"vc_priority": null
}
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
04-04-2019
11:35 AM
Solved with the following config:
[sourcetype]
KV_MODE = json
LINE_BREAKER = \}(,\s+)\{
SEDCMD-remove_footer = s/\}\s+\]//g
SEDCMD-remove_header = s/\{\s+\"local\"\:\s+\[//g
SHOULD_LINEMERGE = 0
pulldown_type = 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
04-04-2019
11:35 AM
Solved with the following config:
[sourcetype]
KV_MODE = json
LINE_BREAKER = \}(,\s+)\{
SEDCMD-remove_footer = s/\}\s+\]//g
SEDCMD-remove_header = s/\{\s+\"local\"\:\s+\[//g
SHOULD_LINEMERGE = 0
pulldown_type = 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamlesh_vaghela
SplunkTrust
04-03-2019
11:14 PM
@mayurr98
Can you please try below configurations in your props.conf?
[my_stanza]
DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
LINE_BREAKER=}(\,){
SEDCMD-break=s/({"local": \[)//g
SEDCMD-b=s/]}$//g
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
04-04-2019
11:36 AM
Thanks for the reply 🙂
Get Updates on the Splunk Community!
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...
Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions
Whether you’re building custom apps, diving into SPL2, or integrating AI and machine learning into your ...
Index This | How do you write 23 only using the number 2?
July 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
