×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
syunwei
Engager
Member since: ‎06-18-2018
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎06-18-2018
Topics I've Started
No posts to display.
View All

Re: How to prevent splunk from merging few JSON st...

by in Getting Data In
‎06-21-2018 04:36 PM
‎06-21-2018 04:36 PM
Hi spellanser, I had the same problem with that merged JSON logs. I've tried various props.conf setting that were not working until I change the TIME_PREFIX, TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD settings. My guess is when Splunk try to parsing logs and couldn't find event timestamp so then the logs were not splitted. I can see from Splunk document: TIME_PREFIX: * If the TIME_PREFIX cannot be found in the event text, timestamp extraction will not occur. * Defaults to empty. Here is my JSON logs look like: {"asctime": "2018-06-22T09:13Z+0000", "exception": "xxxx", "function_name": "xxxx"} {"asctime": "2018-06-22T09:15Z+0000", "exc_duration": 100, "exc_memory": "70 MB"} Props.conf: [my_sourcetype] INDEXED_EXTRACTIONS = json KV_MODE=none SHOULD_LINEMERGE=true NO_BINARY_CHECK=true BREAK_ONLY_BEFORE=([\r\n]+) TIME_PREFIX=asctime:\s MAX_TIMESTAMP_LOOKAHEAD=25 TIME_FORMAT=%Y-%m-%dT%H:%M:%SZ%z Hope this may help in your situation. Cheers ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to