I'm trying to ingest a json file and got the following error:
splunkd.log:01-07-2023 00:42:51.375 +0100 ERROR JsonLineBreaker [36024 parsing] - JSON StreamId:229865635822760533 had parsing error:Unexpected character: '/' - data_source="/opt/rfcanalyzer/var/log/housekeeping/dailyupdates.log", data_host="vrfcanalyzer.rfcanalyzer.net", data_sourcetype="_json"
Splunk complains about the following jsons:
{"tstamp": "2023-01-07 16:23:12", "severity": "INFO", "process": "dailyupdates.sh", "message": "Removing rubbish from /ramtmp/20230107-splunk.txt"}
{"tstamp": "2023-01-07 16:28:43", "severity": "INFO", "process": "dailyupdates.sh", "message": "Sorting /ramtmp/20230107-splunk.txt"}
{"tstamp": "2023-01-07 16:57:07", "severity": "INFO", "process": "dailyupdates.sh", "message": "Converting all domains in /ramtmp/20230107-alldomains.txt to lowercase"}
{"tstamp": "2023-01-07 16:57:38", "severity": "INFO", "process": "dailyupdates.sh", "message": "Sorting /ramtmp/20230107-alldomains.txt"}
According jsonlint these are valid jsons. I'm using the stand _json sourcetype.
Any idea what is wrong?
Cheers,
Karl