Splunk Search

parse json events properly and new line

ashoksamal63
New Member

I have json data coming in. Some times few jsons are coming together.

ex:

json \x00\x00\x00\x00\x00\x00\xA2\x00\x00է\xF9n[\x00\x00\xFF\xFF\xFF\xFF\x00\x00\xC7 json\x00\x00\x00\x00\x00\x00\xA2\x00\x00է\xF9n[\x00\x00\xFF\xFF\xFF\xFF\x00\x00\xC7json.

\x00\x00\x00\x00\x00\x00\xA2\x00\x00է\xF9n[\x00\x00\xFF\xFF\xFF\xFF\x00\x00\xC7 - is not constant always . it has few special char like 'n[', 'է' which keep on changing.

And every json has this kind of string (\x00\x00\x00\x00\x00\x00\xA2\x00\x00է\xF9n[\x00\x00\xFF\xFF\xFF\xFF\x00\x00\xC7) at the beginning or end of it. All i want is.

  1. one json per event
  2. no junk values like (\x00\x00\x00\x00\x00\x00\xA2\x00\x00է\xF9n[\x00\x00\xFF\xFF\xFF\xFF\x00\x00\xC7) in the event

Can some one help here please quickly??? Please

Tags (1)
0 Karma

alemarzu
Motivator

Hi ashoksamal,

Do you mind sharing an entire event sample so I can help you ?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...