Getting Data In

Help with props.conf configuration to remove outer curly bracket before ingesting JSON file to get event ID

lim2
Communicator

props.conf to remove outer curly bracket before ingesting json file from
{
"filters": [
{
"id": "94960710-78a8-139d-6e52-5845eba8ebc9",
"name": "admin",
},
{
"id": "ec6402e0-3874-bc4d-715b-1c1f1b7bd695",
"name": "test",
}
]
}

to
"filters": [
{
"id": "94960710-78a8-139d-6e52-5845eba8ebc9",
"name": "admin",
},
{
"id": "ec6402e0-3874-bc4d-715b-1c1f1b7bd695",
"name": "test",
}
]
so that I can get id/name under different events
I tried with JSON_TRIM_BRACES_IN_ARRAY_NAMES=true and mount_point=filters with no result
Please advise.
Thanks

0 Karma

lim2
Communicator

Added following line in props.conf seemed to have worked for removing the outer curly brackets.
SEDCMD-removebracket = '1d;$d'

0 Karma

malmoore
Splunk Employee
Splunk Employee

Hi,

I confirmed with an engineer that this option will work in the way it's been depicted here.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Interesting, that doesn't quite match the documentation but glad it works 🙂
Perhaps you can accept your own answer here?

0 Karma

MuS
Legend

I messaged the docs team to verify with dev team this works this way and if so update the docs 😉

cheers, MuS

MuS
Legend

Little update here: This is under investigation now

0 Karma

gjanders
SplunkTrust
SplunkTrust
 [your_sourcetype_goes_here]
 SEDCMD-removebracket = s/^{//g

That is assuming the { is the very first line of the event, if not the regular expression might need some tweaking. If you wanted to work over multiline mode you can as per this answer

0 Karma

lim2
Communicator

Thanks for the idea, I will also try with SEDCMD-removebracket = 1d;$d (from sed -e -i '1d;$d' jsonfile)

0 Karma

gjanders
SplunkTrust
SplunkTrust

From the props.conf documentation you will need to use a s/... version, it appears to be slightly different to sed on Unix but I think you get the idea of the answer 🙂

* A sed script is a space-separated list of sed commands. Currently the
  following subset of sed commands is supported:
    * replace (s) and character substitution (y).
* Syntax:
    * replace - s/regex/replacement/flags
      * regex is a perl regular expression (optionally containing capturing
        groups).
      * replacement is a string to replace the regex match. Use \n for back
        references, where "n" is a single digit.
      * flags can be either: g to replace all matches, or a number to
        replace a specified match.
    * substitute - y/string1/string2/
      * substitutes the string1[i] with string2[i]
0 Karma
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...