I am currently trying to split my json into multiple events at index time into Splunk. Although when I do this it breaks each line into multiple events. I am not good with regex, so I tried using the regex from the answer here
https://answers.splunk.com/answers/289520/how-to-split-a-json-array-into-multiple-events-wit.html
The answer is exactly how I want my output to be.
Heres my props.conf and my sample json
1.
[jsonsourcetype]
SHOULD_LINEMERGE = FALSE
LINE_BREAKER = ((?<!")\},|[\r\n]+)
SEDCMD-remove_header = s/(\{\s+.+?\[)//g
SEDCMD-remove_footer = s/\]\s+\}//g
TIME_PREFIX = \"CreatedDate\":\s+\"
2.
{
"records": [
{
"field1": "923893829413",
"CreatedDate": "2018-08-10T06:24:35.000+0000",
"Id": "a8928371DL0",
"attributes": {
"type": "F",
"url": "/something/etc/test"
}
},
{
"field1": "923829323829413",
"Id": "a8921238371DL01",
"attributes": {
"type": "TF",
"url": "urlHere"
}
}
]
}
Try this:
BREAK_ONLY_BEFORE = (\[\s+\{)
MUST_BREAK_AFTER = (\},|\}\s+\])
SEDCMD-remove_header = s/(\{\s+.+?\[)//g
SEDCMD-remove_footer = s/\]\s+\}//g
Yes, I tried it but my output was one event. This is exactly what I need. But for some reason Its not working on mine.
Ok, here's the source type I used for this output:
[test22]
BREAK_ONLY_BEFORE = BREAK_ONLY_BEFORE
DATETIME_CONFIG =
MUST_BREAK_AFTER = (\},|\}\s+\])
NO_BINARY_CHECK = true
SEDCMD-remove_footer = s/\]\s+\}//g
SEDCMD-remove_header = s/(\{\s+.+?\[)//g
TIME_PREFIX = \"CreatedDate\":\s+\"
category = Custom
pulldown_type = true
Try to reindex your file with that same source type
Thank you this works and I understand most of it except that first line BREAK_ONLY_BEFORE = BREAK_ONLY_BEFORE. Could you explain that a bit?
Try this:
BREAK_ONLY_BEFORE = (\[\s+\{)
MUST_BREAK_AFTER = (\},|\}\s+\])
SEDCMD-remove_header = s/(\{\s+.+?\[)//g
SEDCMD-remove_footer = s/\]\s+\}//g
This just seems to put it back into one event. I need multiple events.
Awesome, Thanks! After adding this with the comment you posted in the other answer it worked great! Thank you.