This is a head scratcher..
After cleaning up the json, (trailing , are not allowed in arrays / hashes ( unlike perl)), your regex splits the sample data into 3 events :
{"requests":[{"document":"4968435","requestheaders":{"Content-Type":"url",},"headers":{"Data":"123456",},}],"list":[{"type":"W8021X"}
{"rssi":"97"}],"event":"ONE","systemdate":"2012-10-0910:33:39-0700"}
{"systemdate":"2012-10-0910:35:30-0700","list":[{"rssi":"97"}
So it doesn't handle the 1st event properly.
It seems that the regular expression following the capture group acts a a forward lookahead assertion, which has different behaviour than if it were its own capture group.
Rather than having to mess about in splunk to figure it out, try this, and fiddle with the regex until it works
#!/usr/bin/perl
my $string='{"events":[{"requests":[{"document":"4968435","requestheaders":{"Content-Type":"url",},"headers":{"Data":"123456",},}],"list":[{"type":"W8021X"},{"rssi":"97"}],"event":"ONE","systemdate":"2012-10-0910:33:39-0700"},{"systemdate":"2012-10-0910:35:30-0700","list":[{"rssi":"97"},{"id":"TWO"}],"event":"TWO"}]}';
while ($string=~/((\{"events":\[)|,)(?=\s*\{(?:[^{}]|\{[^{}]*(?:[^{}]|\{[^{}]*(?:[^{}]|\{[^{}]*\})*\})*\})*\})/g ) {
print substr($string,$end,$-[0]-$end),"\n" if $end;
$end=$+[0];
}
... View more