I have a bunch of sourcetypes which are supposed to contain only valid JSON data. I've been asked to verify that in fact they do contain only json. Is there an easy/elegant way to search to find records which were not well-formed JSON? (ie, records that Splunk can automatically format as a JSON tree.)
@ShagVT if you know the JSON structure like the root node or some other unique pattern, you can use the same to parse and send unwanted data/events to nullQueue (or a separate index) then you can get stats of events pushed to null queue or separate index/sourcetype. https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_event_data...