I am using API to fetch the JSON logs and sending JSON output to Splunk. Props.conf is on the search head.
I am seeing the intermittent issues of not splitting the JSON logs even though I am sending one by one JSON objects via scripting.
Json payload :
{"test": "emailid", "remote": "13.17.14.2", "guide": "05773-56-C2-E9", "test1": "testing", "date": "2019-12-13T19:05:03.836+00:00", "sessionID": "abc1"}
{"remote": "13.7.4.28", "guide": "05773-56-C2-E9", "test1": "testing", "date": "2019-12-13T19:05:03.836+00:00", "sessionID": "abc1"}
Props.conf is :
INDEXED_EXTRACTIONS = JSON
BREAK_ONLY_BEFORE_DATE=false
BREAK_ONLY_BEFORE=(\{\"|\"\})
MUST_BREAK_AFTER=\"\}
Please guide.
I tried including SHOULD_LINEMERGE = false
But it didnt work.
Never use the BREAK_*
settings; always do it like this (these are the only breaking settings required):
SHOULD_LINEMERGE = false
LINE_BREAKER = \"\}(\s*[\r\n]+\s*)(?:\{\")|(?:\"\})
| makeresults
| eval _raw= "{\"test\": \"emailid\" , \"remote\": \"13.17.14.2\", \"guide\": \"05773-56-C2-E9\", \"test1\": \"testing\", \"date\": \"2019-12-13T19:05:03.836+00:00\", \"sessionID\": \"abc1\"}"
| appendpipe
[| eval _raw="{\"remote\": \"13.7.4.28\", \"guide\": \"05773-56-C2-E9\", \"test1\": \"testing\", \"date\": \"2019-12-13T19:05:03.836+00:00\", \"sessionID\": \"abc1\"}" ]
| eval _time=strptime(spath(_raw,"date"),"%Y-%m-%dT%H:%M:%S.%Q%:z")
| spath
If it is a search, it can be extracted correctly.
why-would-indexed-extractionsjson-in-propsconf
How about using this as a reference?
Its intermittent issue. The data is different in each payload. Can it be done while indexing rather than searching. Please guide.
Sorry, I don’t know how.