All Apps and Add-ons

How I can split single event into multiple events?

deeptha1992
New Member

I have configured Rest api and it is giving data in json format as a single event. I wants to split it into multiple events
ie, for example the data is in this format now
{ [-]
queryResponse: { [-]
@count: 4288943

@first: 0

@last: 99
@type: ClientSessions
entity: [ [-]
{ [-]
@dtoType: clientSessionsDTO

@type: ClientSessions
clientSessionsDTO: { [-]
@displayName: 14
@id: 14
anchorIpAddress: abcd

authenticationAlgorithm: xyz
authorizationPolicy: na
bytesReceived: 0

bytesSent: 0
webSecurity: abc

wgbStatus: dgghsd
}

}

{ [-]
@dtoType: clientSessionsDTO

@type: ClientSessions
clientSessionsDTO: { [-]
@displayName: 15
@id: 15
anchorIpAddress: abcd

authenticationAlgorithm: xyz
authorizationPolicy: na
bytesReceived: 0

bytesSent: 0
webSecurity: abc

wgbStatus: dgghsd

            }   
    }   
        {   [-] 
         @dtoType:   clientSessionsDTO  
            @type:   ClientSessions 
             clientSessionsDTO: {   [-] 
                @displayName:    16 
                 @id:    16 
                anchorIpAddress:     abcd   
                 authenticationAlgorithm:    xyz
                 authorizationPolicy:    na 
                 bytesReceived:  0  
                bytesSent:   0
                webSecurity:     abc    
                wgbStatus:   dgghsd 
    }   
    }   
        .
        .
        .
  I want to split it as 

event 1
entity: [ [-]
{ [-]
@dtoType: clientSessionsDTO

@type: ClientSessions
clientSessionsDTO: { [-]
@displayName: 14
@id: 14
anchorIpAddress: abcd

authenticationAlgorithm: xyz
authorizationPolicy: na
bytesReceived: 0

bytesSent: 0
webSecurity: abc

wgbStatus: dgghsd
}

}

event 2
{ [-]
@dtoType: clientSessionsDTO

@type: ClientSessions
clientSessionsDTO: { [-]
@displayName: 15
@id: 15
anchorIpAddress: abcd

authenticationAlgorithm: xyz
authorizationPolicy: na
bytesReceived: 0

bytesSent: 0
webSecurity: abc

wgbStatus: dgghsd

            }   
    }   

event 3
{ [-]
@dtoType: clientSessionsDTO

@type: ClientSessions
clientSessionsDTO: { [-]
@displayName: 16
@id: 16
anchorIpAddress: abcd

authenticationAlgorithm: xyz
authorizationPolicy: na
bytesReceived: 0

bytesSent: 0
webSecurity: abc

wgbStatus: dgghsd
}

}

how I can achieve this?

Thanks in advance.

0 Karma

ansif
Motivator

Are you using REST API modular input app then I suggest one of my question below:

https://answers.splunk.com/answers/656804/need-help-to-parse-json-rest-api-response.html

You have to use Responsehandler to do this.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...