Below is my i/p file
{
"Count": 2,
"Items": [
{
"total_time": {
"S": "0.000s"
},
"start_date_time": {
"S": "2017-09-19 05:00:43"
},
"bad_records": {
"N": "0"
},
"successful_records": {
"N": "0"
},
"source": {
"S": "mps_dnc"
},
"end_date_time": {
"S": "2017-09-19 05:00:43"
},
"file_name": {
"S": "No File"
},
"total_records": {
"N": "0"
},
"job_name": {
"S": "mps_dnc_out"
}
},
{
"total_time": {
"S": "12.783s"
},
"start_date_time": {
"S": "2017-09-19 11:42:21"
},
"bad_records": {
"N": "0"
},
"successful_records": {
"N": "12094"
},
"source": {
"S": "mps_dnc"
},
"end_date_time": {
"S": "2017-09-19 11:42:34"
},
"file_name": {
"S": "do_not_contact_list_2017-09-19T11_42_20.581Z.txt"
},
"total_records": {
"N": "12094"
},
"job_name": {
"S": "mps_dnc_out"
}
}
],
"ScannedCount": 2,
"ConsumedCapacity": null
}
Below is my probs.conf and limit .conf
[spath]
extraction_cutoff = 10000
[dynamoout]
TRUNCATE = 0
KV_MODE = json
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]*)
DATETIME_CONFIG = CURRENT
[source::/script_logs_mps/.]
CHECK_METHOD=entire_md5
Still on splunk i can see only 8 lines.
Try this for your props.conf (on indexer/heavy forwarder)
[dynamoout]
TRUNCATE = 0
KV_MODE = json
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]*)(?=\{)
DATETIME_CONFIG = CURRENT
OR
[dynamoout]
TRUNCATE = 0
KV_MODE = json
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
INDEXED_EXTRACTIONS = json
DATETIME_CONFIG = CURRENT
Try this for your props.conf (on indexer/heavy forwarder)
[dynamoout]
TRUNCATE = 0
KV_MODE = json
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]*)(?=\{)
DATETIME_CONFIG = CURRENT
OR
[dynamoout]
TRUNCATE = 0
KV_MODE = json
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
INDEXED_EXTRACTIONS = json
DATETIME_CONFIG = CURRENT
With below setting i can see the json extract working fine
I tried same yesterday but did not worked It is working today. Thanks for your help.
[dynamoout]
TRUNCATE = 0
KV_MODE = json
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
INDEXED_EXTRACTIONS = json
DATETIME_CONFIG = CURRENT