Getting Data In

how to break the JSON data?

vrmandadi
Builder

Hello Experts,

Attached is the sample JSON file which I am trying to upload to Splunk.I have uploaded it by Splunk WEB and it broke the events successfully but when I am trying to upload via CLI it is taking all 8 events into a single event.Can you please help how to break those events(8).

Tags (4)

s2_splunk
Splunk Employee
Splunk Employee

When you upload the data via the UI, Splunk detects the source file format and assigns a sourcetype that makes sense. In this case, probably _json
If you want to achieve the same result via the command line, you need to configure and specify a sourcetype with the proper settings for your json data. When you are using the command line, you have to replace some of the smarts of the UI with manual actions.
I'd recommend reading (at least) this chapter of the Getting Data In manual to understand how Splunk processes data.

You can also go through the UI once, then save the sourcetype settings under a new name you chose, and then use that sourcetype on subsequent CLI uploads.

0 Karma

vrmandadi
Builder

I tried using the same UI sourcetype with CLI ,but it did not work,If you could help me with the sourcetype for CLI that would be great

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...