Solved: Issue with a log JSON

rafamss · ‎02-11-2014

Hi guys,

I'm having a issues with a log data file in the following format (JSON):

{"widget": { "debug": "on", "window": { "title": "Sample Konfabulator Widget", "name": "main_window", "width": 500, "height": 500 }, "image": { "src": "Images/Sun.png", "name": "sun1", "hOffset": 250, "vOffset": 250, "alignment": "center" }, "text": { "data": "Click Here", "size": 36, "style": "bold", "name": "text1", "hOffset": 250, "vOffset": 100, "alignment": "center", "onMouseUp": "sun1.opacity = (sun1.opacity / 100) * 90;" } }} {"widget": { "debug": "on", "window": { "title": "Sample Konfabulator Widget", "name": "main_window", "width": 500, "height": 500 }, "image": { "src": "Images/Sun.png", "name": "sun1", "hOffset": 250, "vOffset": 250, "alignment": "center" }, "text": { "data": "Click Here", "size": 36, "style": "bold", "name": "text1", "hOffset": 250, "vOffset": 700, "alignment": "center", "onMouseUp": "sun1.opacity = (sun1.opacity / 100) * 90;" } }} {"widget": { "debug": "on", "window": { "title": "Sample Konfabulator Widget", "name": "main_window", "width": 500, "height": 500 }, "image": { "src": "Images/Sun.png", "name": "sun1", "hOffset": 240, "vOffset": 250, "alignment": "center" }, "text": { "data": "Click Here", "size": 36, "style": "bold", "name": "text1", "hOffset": 250, "vOffset": 100, "alignment": "center", "onMouseUp": "sun1.opacity = (sun1.opacity / 100) * 90;" } }} {"widget": { "debug": "on", "window": { "title": "Sample Konfabulator Widget", "name": "main_window", "width": 600, "height": 500 }, "image": { "src": "Images/Sun.png", "name": "sun1", "hOffset": 950, "vOffset": 250, "alignment": "center" }, "text": { "data": "Click Here", "size": 36, "style": "bold", "name": "text1", "hOffset": 250, "vOffset": 190, "alignment": "center", "onMouseUp": "sun1.opacity = (sun1.opacity / 100) * 90;" } }}

The Splunk only recognizes the file as a unique line. What do I do ?

Rafael Martins

rafamss · ‎02-11-2014

Hi somesoni2, Your example worked fine. Thanks!

View solution in original post

rafamss · ‎02-11-2014

Hi somesoni2, Your example worked fine. Thanks!

rafamss · ‎02-11-2014

Hi somesoni2, Your example worked fine. Thanks!

somesoni2 · ‎02-11-2014

Since your data don't have timestamp (for each event), SPlunk is considering whole file content as one event. When seeing the preview of the log file during import, click on 'adjust timestamp and event break settings' link (in top section). Then in 'Event breaks' tab, select option "specify patter..." and provide this value {"widget" . Click on apply and continue with other things that your were doing so far.

rafamss · ‎02-11-2014

I created a new source type and inserted the data log file into directory that was already previously configured. I consider this is the simplest way to do this.

somesoni2 · ‎02-11-2014

did you configure the event breaking or your just went ahead with default values?

rafamss · ‎02-11-2014

I created through Splunk Web.

somesoni2 · ‎02-11-2014

You've create data input from Splunk Web or directly from props.conf?

Issue with a log JSON

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!