Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex with Line break while pushing data into splunk

mailtosnsolutio
Explorer
‎01-16-2020 12:59 PM

Hello Team,

Could you please help to parse this data while pushing this in source type data into splunk.

Issue is if i am adding Event Break with Regex using this }}(,)

ROW1 getting converted into JSON but ROW2 is not able to convert due to its merging data (like in Row 2 there is 2 _time )

Could anyone please help ?

Row 1
{"time":"2019-12-27T18:08:56.9035062Z","systemId":"03761897-51e8-4a4f-b1c7-01b5372fbece","macAddress":"000D3AF9BCB0","category":"NetworkSecurityGroupFlowEvent","resourceId":"/SUBSCRIPTIONS/E63B08C3-D314-48D8-B10A-C58199BB78B1/RESOURCEGROUPS/AZUR-P-1-SOSG-RG-1/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/S-10.65.5.192-28-NSG","operationName":"NetworkSecurityGroupFlowEvents","properties":{"Version":1,"flows":[{"rule":"UserRule_Deny_Outbound","flows":[{"mac":"000D3AF9BCB0","flowTuples":["1577470084,10.65.5.198,205.185.216"]}]}]}}

Row 2
{"time":"2019-12-27T18:09:56.9504048Z","systemId":"03761897-51e8-4a4f-b1c7-01b5372fbece","macAddress":"000D3AF9BCB0","category":"NetworkSecurityGroupFlowEvent","resourceId":"/SUBSCRIPTIONS/E63B08C3-D314-48D8-B10A-C58199BB78B1/RESOURCEGROUPS/AZUR-P-1-SOSG-RG-1/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/S-10.65.5.192-28-NSG","operationName":"NetworkSecurityGroupFlowEvents","properties":{"Version":1,"flows":[{"rule":"UserRule_Deny_Outbound","flows":[{"mac":"000D3AF9BCB0","flowTuples":["1577470135,10.65.5.198,23.75.194.41,59094,80,T,O,D"]}]}]}}]}
{"time":"2019-12-27T18:00:55.7627056Z","systemId":"a951027c-dc23-41a7-9973-77afcfa4bbfd","macAddress":"000D3A6D539B","category":"NetworkSecurityGroupFlowEvent","resourceId":"/SUBSCRIPTIONS/E63B08C3-D314-48D8-B10A-C58199BB78B1/RESOURCEGROUPS/AZUR-P-1-SOSG-RG-1/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/S-10.65.5.48-28-NSG","operationName":"NetworkSecurityGroupFlowEvents","properties":{"Version":1,"flows":[{"rule":"UserRule_Deny_Outbound","flows":[{"mac":"000D3A6D539B","flowTuples":["1577469594,10.65.5.53,10.65.5.68,59262,17472,T,O,D","1577469595,10.65.5.53,168.62.24.23,59254,443,T,O,D"]}]}]}}

alt text

Preview file
138 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-16-2020 01:06 PM

Try LINE_BREAKER = ([\r\n]+){"time".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mailtosnsolutio
Explorer
‎01-16-2020 11:59 PM

Sorry its not working

actaully having issue of Row 2 Ending "]}]}]}} <------ This one creating issue
as in Row 1 it have ]}]}]}}

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...