Getting Data In

Why do I have several JSON events showing as a single Splunk event?

moorvogi
Path Finder

I have 1-40 (or more) JSON objects that are seen as one event within Splunk. Each JSON object ends w/ the "}" character and is a valid JSON object. For whatever reason, there are just several JSON objects per one Splunk event.

How do i split this so it's one JSON entry per Splunk event?

Tags (2)
0 Karma

pruthvikrishnap
Contributor

Hi ,
There are multiple ways you can split the JSON events, you can try adding sedcmd to props.conf somnething like this.
[myJSON]
SEDCMD-remove_header = s/^(?:.\n){1,3}//g
SEDCMD-remove_footer = s/][\r\n]\s
}.$//g
LINE_BREAKER = }(\s
,[\r\n]\s*){`

else you can update a responsehandler which is a python class and use it in your inputs.
https://answers.splunk.com/answers/233620/how-to-use-custom-response-handlers-for-monitoring-1.html

i am not sure on what your scenario is

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...