I have multiple formats of json data coming in from Azure Keyvault. I can't seem to get the linebreaking to work properly and Splunk AddOn for Microsoft Cloudservices doesn't provide any props for many of these json blobs. ( multiple matching lines per ingested event } { "count": 1, "total": 1, "minimum": 1, "maximum": 1, "average": 1, "resourceId": "/SUBSCRIPTIONS/blah/blah", "time": "2025-05-07T14:08:00.0000000Z", "metricName": "ServiceApiHit", "timeGrain": "PT1M"} { "count": 1, "total": 14, "minimum": 14, "maximum": 14, "average": 14, "resourceId": "/SUBSCRIPTIONS/blah/blah", "time": "2025-05-07T14:08:00.0000000Z", "metricName": "ServiceApiLatency", "timeGrain": "PT1M"} And some look like this: { "time": "2025-05-07T14:07:58.7286344Z", "category": "AuditEvent", ....... "13"} { "time": "2025-05-07T14:08:02.8617508Z", "category": "AuditEvent", ....... "13"} I've tried numerous combinations of regexes ... nothing's working. LINE_BREAKER = (\}([\r\n]\s*,[\r\n]\s*){|\{\s+\"(count|time)\") Any suggestions would be greatly helpful.
... View more