Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to split JSON into multiple events using regex?

Zamoraw
New Member
‎08-14-2018 02:25 PM

I am currently trying to split my json into multiple events at index time into Splunk. Although when I do this it breaks each line into multiple events. I am not good with regex, so I tried using the regex from the answer here
https://answers.splunk.com/answers/289520/how-to-split-a-json-array-into-multiple-events-wit.html
The answer is exactly how I want my output to be.
Heres my props.conf and my sample json
1.

[jsonsourcetype]
SHOULD_LINEMERGE = FALSE
LINE_BREAKER = ((?<!")\},|[\r\n]+)
SEDCMD-remove_header = s/(\{\s+.+?\[)//g
SEDCMD-remove_footer = s/\]\s+\}//g
TIME_PREFIX = \"CreatedDate\":\s+\"

2.

{
"records": [
    {
        "field1": "923893829413",
        "CreatedDate": "2018-08-10T06:24:35.000+0000",
        "Id": "a8928371DL0",
        "attributes": {
            "type": "F",
            "url": "/something/etc/test"
        }
    },               
  {
        "field1": "923829323829413",
        "Id": "a8921238371DL01",
        "attributes": {
            "type": "TF",
            "url": "urlHere"
        }
    }          
]
}
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

amiftah
Communicator
‎08-14-2018 02:57 PM

Try this:

BREAK_ONLY_BEFORE = (\[\s+\{)
MUST_BREAK_AFTER = (\},|\}\s+\])
SEDCMD-remove_header = s/(\{\s+.+?\[)//g
SEDCMD-remove_footer = s/\]\s+\}//g

View solution in original post

0 Karma
Reply
Solved! Jump to solution

amiftah
Communicator
‎08-14-2018 05:10 PM

Did you try it?
I have two separate events, unless if it's not what you want..

alt text

0 Karma
Reply
Solved! Jump to solution

Zamoraw
New Member
‎08-14-2018 05:15 PM

Yes, I tried it but my output was one event. This is exactly what I need. But for some reason Its not working on mine.

0 Karma
Reply
Solved! Jump to solution

amiftah
Communicator
‎08-14-2018 05:17 PM

Ok, here's the source type I used for this output:

[test22]
BREAK_ONLY_BEFORE = BREAK_ONLY_BEFORE
DATETIME_CONFIG =
MUST_BREAK_AFTER = (\},|\}\s+\])
NO_BINARY_CHECK = true
SEDCMD-remove_footer = s/\]\s+\}//g
SEDCMD-remove_header = s/(\{\s+.+?\[)//g
TIME_PREFIX = \"CreatedDate\":\s+\"
category = Custom
pulldown_type = true

Try to reindex your file with that same source type

Reply
Solved! Jump to solution

Zamoraw
New Member
‎08-15-2018 09:07 AM

Thank you this works and I understand most of it except that first line BREAK_ONLY_BEFORE = BREAK_ONLY_BEFORE. Could you explain that a bit?

0 Karma
Reply
Solved! Jump to solution
Solution

amiftah
Communicator
‎08-14-2018 02:57 PM

Try this:

BREAK_ONLY_BEFORE = (\[\s+\{)
MUST_BREAK_AFTER = (\},|\}\s+\])
SEDCMD-remove_header = s/(\{\s+.+?\[)//g
SEDCMD-remove_footer = s/\]\s+\}//g
0 Karma
Reply
Solved! Jump to solution

Zamoraw
New Member
‎08-14-2018 03:16 PM

This just seems to put it back into one event. I need multiple events.

0 Karma
Reply
Solved! Jump to solution

Zamoraw
New Member
‎08-15-2018 09:04 AM

Awesome, Thanks! After adding this with the comment you posted in the other answer it worked great! Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...
Top