I have 1-40 (or more) JSON objects that are seen as one event within Splunk. Each JSON object ends w/ the "}" character and is a valid JSON object. For whatever reason, there are just several JSON objects per one Splunk event.
How do i split this so it's one JSON entry per Splunk event?
Hi ,
There are multiple ways you can split the JSON events, you can try adding sedcmd to props.conf somnething like this.
[myJSON]
SEDCMD-remove_header = s/^(?:.\n){1,3}//g
SEDCMD-remove_footer = s/][\r\n]\s}.$//g
LINE_BREAKER = }(\s,[\r\n]\s*){`
else you can update a responsehandler which is a python class and use it in your inputs.
https://answers.splunk.com/answers/233620/how-to-use-custom-response-handlers-for-monitoring-1.html
i am not sure on what your scenario is