Splunk Search

Json parsing - event breaks

Nadhiyaa
Path Finder

Below is my event :

[ [-]
{ [-]
created_at: 2019-08-28T13:48:48.722Z

credibility_score: -5
email: swathi.nandigam@xx.ae

id: 625

last_reported_at: 2019-08-28T13:52:48.000Z

reports_count: 1

updated_at: 2019-08-28T13:48:51.519Z

vip: false

}

{ [-]
created_at: 2019-08-28T04:46:22.106Z

credibility_score: 0

email: richard.talian@xx.ae

id: 624

last_reported_at: 2019-08-28T04:48:36.000Z

reports_count: 1

updated_at: 2019-08-28T04:46:24.169Z

vip: false

}

{ [-]
created_at: 2019-08-25T03:50:59.412Z

credibility_score: -5
email: muhammad.irfan@xx.ae

id: 623

last_reported_at: 2019-08-26T15:14:33.000Z

reports_count: 2

updated_at: 2019-08-26T15:10:40.260Z

vip: false

}
}

i want to break every single event , taking timestamp of my last_reported_at field .

Below is my props.conf

[xxx]
SHOULD_LINEMERGE = false
category = Splunk App Add-on Builder
pulldown_type = 1
KV_MODE = json
NO_BINARY_CHECK = true
TRUNCATE = 0
TIME_PREFIX = "last_reported_at":"

Please correct whats wrong with my props.conf

Tags (1)
0 Karma

jrballesteros05
Communicator

I had an experience similar to you and I finally had to modify the script who generates the json to avoid using arrays. I mean json like this:

[
{ [-]
created_at: 2019-08-28T13:48:48.722Z
credibility_score: -5
email: swathi.nandigam@xx.ae
id: 625
last_reported_at: 2019-08-28T13:52:48.000Z
reports_count: 1
updated_at: 2019-08-28T13:48:51.519Z
vip: false
}
{ [-]
created_at: 2019-08-28T04:46:22.106Z
credibility_score: 0
email: richard.talian@xx.ae
id: 624
last_reported_at: 2019-08-28T04:48:36.000Z
reports_count: 1
updated_at: 2019-08-28T04:46:24.169Z
vip: false
} 
]

It did not work for me. I had to remove the array and had json like this:

{ [-]
created_at: 2019-08-28T13:48:48.722Z
credibility_score: -5
email: swathi.nandigam@xx.ae
id: 625
last_reported_at: 2019-08-28T13:52:48.000Z
reports_count: 1
updated_at: 2019-08-28T13:48:51.519Z
vip: false
}
{ [-]
created_at: 2019-08-28T04:46:22.106Z
credibility_score: 0
email: richard.talian@xx.ae
id: 624
last_reported_at: 2019-08-28T04:48:36.000Z
reports_count: 1
updated_at: 2019-08-28T04:46:24.169Z
vip: false
} 

The the sourcetype _json worked perfectly.

0 Karma

riqbal47010
Path Finder

so please accept my answer.

0 Karma

Nadhiyaa
Path Finder

hi @riqbal47010 yes it worked . but when i give table command the values are coming double .How can i resolve that

0 Karma

riqbal47010
Path Finder

please define the source type as

sourcetype = _json

0 Karma

Nadhiyaa
Path Finder

hi if i define sourcetype=_json , it gets only the first event { [-]
created_at: 2019-08-28T13:48:48.722Z
credibility_score: -5
email: swathi.nandigam@xx.ae
id: 625
last_reported_at: 2019-08-28T13:52:48.000Z
reports_count: 1
updated_at: 2019-08-28T13:48:51.519Z
vip: false
}

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@Nadhiyaa

Can you please share sample event in the code block.

like event

OR

event
0 Karma

Nadhiyaa
Path Finder
[ [-] 
{ [-] 
created_at: 2019-08-28T13:48:48.722Z 
credibility_score: -5 
email: swathi.nandigam@xx.ae 
id: 625 
last_reported_at: 2019-08-28T13:52:48.000Z 
reports_count: 1 
updated_at: 2019-08-28T13:48:51.519Z 
vip: false 
} 
{ [-] 
created_at: 2019-08-28T04:46:22.106Z 
credibility_score: 0 
email: richard.talian@xx.ae 
id: 624 
last_reported_at: 2019-08-28T04:48:36.000Z 
reports_count: 1 
updated_at: 2019-08-28T04:46:24.169Z 
vip: false 
} 
{ [-] 
created_at: 2019-08-25T03:50:59.412Z 
credibility_score: -5 
email: muhammad.irfan@xx.ae 
id: 623 
last_reported_at: 2019-08-26T15:14:33.000Z 
reports_count: 2 
updated_at: 2019-08-26T15:10:40.260Z 
vip: false 
}
}
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...