I have a JSON file, which is being indexed by Splunk, the format is like -
{
testdata : [
{
"testid" : 1234,
"abc" : "def",
"def" : "abc",
"httpServer" : [
{
"responseTime" : 300,
"responseCode" : 200,
"datetime": 0982894965
},
{
"responseTime": 312,
"responseCode": 200,
"datetime": 09230948509
}
],
"transactions" : [
{
....
},
{
....
}
]
},
{
"testid": 1234,
....
}
]
}
Can someone please suggest a regex which can give me relevant data for every "testid". Whatever regex I tried doesn't seem to work. I was using this stanza in my props.conf
[randomsourcetype]
[accountgroups]
TRUNCATE = 0
KV_MODE = json
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = true
LINE_BREAKER = ([\r\n]*)(?=\{)
DATETIME_CONFIG = CURRENT
Thanks in advance
... View more