I have a 300KB JSON file (I have checked using jsonlint that it is valid format) that I am having troubles with.
When I go to upload it, the preview shows it as completely one event. I know that by default it truncates at 10,000 bytes, so I set TRUNCATE equal to 0. I am still having the same issue. There are many nested arrays in the log and after uploading, it can only access the first element of the the first array. For example:
spath output=barNames path=bar{}.barName | table barNames
only returns the first barName, even though it has a second object in that path. It seems like Splunk is not even uploading the whole JSON file?
Here is an overview of the file
{
"version" : "1.0",
"bar" : [
{
"barName" : "name1",
"moreRecords" : [ ... ]
},
{
"barName" : "name2",
"moreRecords" : [ .... ]
}
]
}
In this case, that entire file is a single JSON event. After loading, I can only access the values under bar[0], nothing in bar[1].
I have tried changing KV_MODE to JSON, line merge settings, etc. The data preview never seperates into separate events. Any ideas?
Thanks!
... View more