I have a JSON doc that prints events like so:
{"id":72,"stationName":"W 52 St & 11 Ave","availableDocks":1,"totalDocks":39,"latitude":40.76727216,"longitude":-73.99392888,"statusValue":"In Service","statusKey":1,"availableBikes":35,"stAddress1":"W 52 St & 11 Ave","stAddress2":"","city":"","postalCode":"","location":"","altitude":"","testStation":false,"lastCommunicationTime":"2015-08-12 04:30:26 AM","landMark":""},{"id":79,"stationName":"Franklin St & W Broadway","availableDocks":32,"totalDocks":33,"latitude":40.71911552,"longitude":-74.00666661,"statusValue":"In Service","statusKey":1,"availableBikes":0,"stAddress1":"Franklin St & W Broadway","stAddress2":"","city":"","postalCode":"","location":"","altitude":"","testStation":false,"lastCommunicationTime":"2015-08-12 04:33:44 AM","landMark":""},.........
Each new event starts immediately before: {"id"
Given this doc is just one line I believe MUST_BREAK_BEFORE = \{"id" in props.conf won't work. Can someone confirm?
So I'm now wrestling with LINE_BREAKER with SHOULD_LINEMERGE = false
As per this answer, I cannot get this approach to work. LINE_BREAKER = \{\"id
Having read other threads / docs, I am thinking this is incorrect though.
Wherever the regex matches, Splunk considers the start of the first matching group to be the end of the previous event, and considers the end of the first matching group to be the start of the next event.
You are telling Splunk that this text comes between lines.
I have tried setting a number of matching groups, but still haven't cracked it? Anyone have any ideas?
In addition to this, what is the order LINE_BREAKER compared to SEDCMD in the processing pipeline? If I modify an event using SEDCMD, can I base my LINE_BREAKER on the transformed event after SEDCMD?
... View more