JSON line breaking

mcbradfordwcb · ‎10-14-2019

I am trying to break one big json event into several events, eventually 1080, but in the example below there would be 5 events

I know I need to create a props.conf

This is what I have so far, but it is not working

[me_json]
SHOULD_LINEMERGE        = false
LINE_BREAKER            = ([\r\n]+)agent_installed_dir 
TIME_PREFIX = process_end_time:\s+
TIME_FORMAT = %s%3N

This is a sample of the event, with real data (systems/IPs) removed

{ [-]
   message_response: { [-]
     limit: 5
     page: 1
     scancomputers: [ [-]
       { [-]
         agent_installed_dir: C:\Program Files (x86)\DesktopCentral_Agent\
         agent_installed_on: 1535659874922
         agent_last_contact_time: 1571069154000
         agent_logged_on_users: blah
         agent_version: 10.0.362.W
         branch_office_name: my Computers
         build_number: 18362.418
         computer_live_status: 1
         computer_status_update_time: 1570734355370
         description: --
         domain_netbios_name: mydomain
         error_kb_url: --
         installation_status: 22
         ip_address: 10.100.1.1
         last_successful_scan: 1570718183654
         last_sync_time: 1571072071009
         mac_address: xx:xx:xx:xx:xx:xx
         os_platform: 1
         os_version: 10.0.18362
         osflavor_id: 0
         process_end_time: 1570718183654
         process_start_time: 1569940581295
         resource_id: 3373
         resource_name: blah_blah1
         scan_remarks: dc.common.SCANNING_COMPLETED
         scan_remarks_en: Scanning Completed
         scan_status: 2
         service_pack: Windows 10 Version 1903 (x64)
         service_pack_major_version: 0
         service_pack_minor_version: 0
         software_name: Windows 10 Professional Edition (x64)
         status_label: dc.db.som.status.installed_successfully
       }
       { [-]
         agent_installed_dir: C:\Program Files (x86)\DesktopCentral_Agent\
         agent_installed_on: 1535662084385
         agent_last_contact_time: 1571070178000
         agent_logged_on_users: --
         agent_version: 10.0.362.W
         branch_office_name: my Computers
         build_number: 7601.24524
         computer_live_status: 1
         computer_status_update_time: 1570737696974
         description: --
         domain_netbios_name: mydomain
         error_kb_url: --
         installation_status: 22
         ip_address: 10.100.1.2
         last_successful_scan: 1570716193151
         last_sync_time: 1571072071009
         mac_address: xx:xx:xx:xx:xx:xx
         os_platform: 1
         os_version: 6.1.7601
         osflavor_id: 0
         process_end_time: 1570716193151
         process_start_time: 1569573982199
         resource_id: 3539
         resource_name: blah_blah2
         scan_remarks: dc.common.SCANNING_COMPLETED
         scan_remarks_en: Scanning Completed
         scan_status: 2
         service_pack: Windows 7 SP1 (x64)
         service_pack_major_version: 1
         service_pack_minor_version: 0
         software_name: Windows 7 Professional Edition (x64)
         status_label: dc.db.som.status.installed_successfully
       }
       { [+]
       }
       { [+]
       }
       { [+]
       }
     ]
     total: 1080
   }
   message_type: scancomputers
   message_version: 1.0
   status: success
}

kamlesh_vaghela · ‎10-14-2019

@mcbradfordwcb

Please share _raw event in the code block.

JSON line breaking

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases