Greetings.
I'm trying for several days to break a json array into multiple events.
This Json is the output of a python script that exports data from an Excel spreadsheet.
I've seen several answers here from the forum, but I still can not solve the problem.
At the moment I'm using a sourcetype identical to _json. Here is an example of the structure of my .json file.
Can someone help me?
[
{
"planilha": "Controles",
"timestamp": 1493758631,
"projeto_categoria": "fid pré-venda",
"projeto_status": "encerrado",
"projeto_report": "FeedBack sadfpasodjf asd´pfoajs d´fasdf",
"projeto_codigo": "99.999.99",
"projeto_nome": "Projeto Teste BBASDAS - ASDASD",
"produto_nome_fabricante": "Fabricante asdfasdf a",
"produto_nome": "Produto qeq weq we",
"gn_nome": "Gerente Negócio Teste",
"gp_nome": "Nenhum",
"cliente_nome": "Cliente Teste",
"horas_junior_estimado": "",
"horas_pleno_estimado": "",
"horas_senior_estimado": "",
"horas_gp_estimado": "",
"horas_total_estimado": 0,
"horas_junior_realizado": 0,
"horas_pleno_realizado": 48,
"horas_senior_realizado": 441,
"horas_gp_realizado": 58,
"horas_total_realizado": 547,
"custo_total_realizado": "50364.10",
"doc_plano_projeto": "Nenhum",
"doc_cronograma": "Nenhum",
"doc_diario_bordo": "Nenhum",
"doc_documentacao_tecnica": "Nenhum",
"doc_termo_encerramento": "Nenhum"
},
{
"planilha": "Controles",
"timestamp": 1493758631,
"projeto_categoria": "fid pré-venda",
"projeto_status": "encerrado",
"projeto_report": "FeedBack sadfpasodjf asd´pfoajs d´fasdf",
"projeto_codigo": "99.999.99",
"projeto_nome": "Projeto Teste BBASDAS - ASDASD",
"produto_nome_fabricante": "Fabricante asdfasdf a",
"produto_nome": "Produto qeq weq we",
"gn_nome": "Gerente Negócio Teste",
"gp_nome": "Nenhum",
"cliente_nome": "Cliente Teste",
"horas_junior_estimado": "",
"horas_pleno_estimado": "",
"horas_senior_estimado": "",
"horas_gp_estimado": "",
"horas_total_estimado": 0,
"horas_junior_realizado": 0,
"horas_pleno_realizado": 48,
"horas_senior_realizado": 441,
"horas_gp_realizado": 58,
"horas_total_realizado": 547,
"custo_total_realizado": "50364.10",
"doc_plano_projeto": "Nenhum",
"doc_cronograma": "Nenhum",
"doc_diario_bordo": "Nenhum",
"doc_documentacao_tecnica": "Nenhum",
"doc_termo_encerramento": "Nenhum"
}
]![alt text][1]
| extract pairdelim=",", kvdelim='":"'| extract pairdelim=",", kvdelim='"\s+:\s+"'
| extract pairdelim=",", kvdelim='":"'| extract pairdelim=",", kvdelim='"\s+:\s+"'
Thanks SplunkersRock!
Hi There,
How large is the JSON in question? If you're saying that it is not separating the data out into the relevant fields it may be because the data is being truncated and the endpoint is not being found, have you set TRUNCATE=0 in the sourcetype?
Also try changing the CHARSET option in the sourcetype to JAVA, or failing that trying other options in the list as that was an issue we had with one of our JSON inputs
Greetings paulbannister.
Sorry for the delay in answering, I was out of service because of the birth of my son. This JSON is sparse due to some tests it was performing, but the actual format of it is minified. I made the changes you indicated to me. The fields have been recognized, but the problem is that only one event is recognized.
Do you have any suggestion?