Splunk Search

How to Break Json output script in multiple events

markuxProof
Path Finder

Greetings.

I'm trying for several days to break a json array into multiple events.
This Json is the output of a python script that exports data from an Excel spreadsheet.
I've seen several answers here from the forum, but I still can not solve the problem.
At the moment I'm using a sourcetype identical to _json. Here is an example of the structure of my .json file.

Can someone help me?

[
  {
    "planilha": "Controles",
    "timestamp": 1493758631,
    "projeto_categoria": "fid pré-venda",
    "projeto_status": "encerrado",
    "projeto_report": "FeedBack sadfpasodjf asd´pfoajs d´fasdf",
    "projeto_codigo": "99.999.99",
    "projeto_nome": "Projeto Teste BBASDAS - ASDASD",
    "produto_nome_fabricante": "Fabricante asdfasdf a",
    "produto_nome": "Produto qeq weq we",
    "gn_nome": "Gerente Negócio Teste",
    "gp_nome": "Nenhum",
    "cliente_nome": "Cliente Teste",
    "horas_junior_estimado": "",
    "horas_pleno_estimado": "",
    "horas_senior_estimado": "",
    "horas_gp_estimado": "",
    "horas_total_estimado": 0,
    "horas_junior_realizado": 0,
    "horas_pleno_realizado": 48,
    "horas_senior_realizado": 441,
    "horas_gp_realizado": 58,
    "horas_total_realizado": 547,
    "custo_total_realizado": "50364.10",
    "doc_plano_projeto": "Nenhum",
    "doc_cronograma": "Nenhum",
    "doc_diario_bordo": "Nenhum",
    "doc_documentacao_tecnica": "Nenhum",
    "doc_termo_encerramento": "Nenhum"
  },
  {
    "planilha": "Controles",
    "timestamp": 1493758631,
    "projeto_categoria": "fid pré-venda",
    "projeto_status": "encerrado",
    "projeto_report": "FeedBack sadfpasodjf asd´pfoajs d´fasdf",
    "projeto_codigo": "99.999.99",
    "projeto_nome": "Projeto Teste BBASDAS - ASDASD",
    "produto_nome_fabricante": "Fabricante asdfasdf a",
    "produto_nome": "Produto qeq weq we",
    "gn_nome": "Gerente Negócio Teste",
    "gp_nome": "Nenhum",
    "cliente_nome": "Cliente Teste",
    "horas_junior_estimado": "",
    "horas_pleno_estimado": "",
    "horas_senior_estimado": "",
    "horas_gp_estimado": "",
    "horas_total_estimado": 0,
    "horas_junior_realizado": 0,
    "horas_pleno_realizado": 48,
    "horas_senior_realizado": 441,
    "horas_gp_realizado": 58,
    "horas_total_realizado": 547,
    "custo_total_realizado": "50364.10",
    "doc_plano_projeto": "Nenhum",
    "doc_cronograma": "Nenhum",
    "doc_diario_bordo": "Nenhum",
    "doc_documentacao_tecnica": "Nenhum",
    "doc_termo_encerramento": "Nenhum"
  }
]![alt text][1]
0 Karma
1 Solution

SplunkersRock
Path Finder

| extract pairdelim=",", kvdelim='":"'| extract pairdelim=",", kvdelim='"\s+:\s+"'

View solution in original post

SplunkersRock
Path Finder

| extract pairdelim=",", kvdelim='":"'| extract pairdelim=",", kvdelim='"\s+:\s+"'

markuxProof
Path Finder

Thanks SplunkersRock!

0 Karma

paulbannister
Communicator

Hi There,

How large is the JSON in question? If you're saying that it is not separating the data out into the relevant fields it may be because the data is being truncated and the endpoint is not being found, have you set TRUNCATE=0 in the sourcetype?

Also try changing the CHARSET option in the sourcetype to JAVA, or failing that trying other options in the list as that was an issue we had with one of our JSON inputs

markuxProof
Path Finder

Greetings paulbannister.

Sorry for the delay in answering, I was out of service because of the birth of my son. This JSON is sparse due to some tests it was performing, but the actual format of it is minified. I made the changes you indicated to me. The fields have been recognized, but the problem is that only one event is recognized.

Do you have any suggestion?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...