Break individual events from json array

dvarghes · ‎02-26-2020

Hello,

I have been working on breaking events which come from the Splunk Rest api addon output. Default "_json" source_type is considering the entire api response as a single event. My aim is to get individual events for objects come under "results". I have tested some custom source types using props.conf but none of them seems working. Please help me with the props.conf entries.

Required individual event example. NB : The fields in the event is dynamic

{
"created" : "2020-02-27T06:14:34Z",
"eventTypeName" : "EVENT1",
"groupId" : "xxx",
"id" : "xxx",
"isGlobalAdmin" : false,
"links" : [ {
"href" : "https://example.com/api/v2",
"rel" : "self"
} ]
}

I am pasting the entire API response below :

Code below :
{
  "links" : [ {
    "href" : "https://example.com/api/v2",
    "rel" : "self"
  } ],
  "results" : [ {
"created" : "2020-02-27T06:14:34Z",
"eventTypeName" : "EVENT1",
"groupId" : "xxxxx",
"id" : "xxxx",
"isGlobalAdmin" : false,
"links" : [ {
  "href" : "https://example.com/api/v2",
  "rel" : "self"
} ]
}, {
"clusterName" : "splunk-cluster",
"created" : "2020-02-27T06:14:33Z",
"eventTypeName" : "EVENT2",
"groupId" : "xxxxx",
"id" : "xxxxx",
"isGlobalAdmin" : false,
"links" : [ {
  "href" : "https://example.com/api/v2",
  "rel" : "self"
 } ]
}, {
"created" : "2020-02-27T06:14:32Z",
"eventTypeName" : "EVENT3",
"groupId" : "xxxxxx",
"id" : "xxxxxx",
"isGlobalAdmin" : false,
"links" : [ {
  "href" : "https://example.com/api/v2",
  "rel" : "self"
} ],
"remoteAddress" : "xx.xx.xx.xx",
"userId" : "xxxxxx",
"username" : "Sam-test"
} ],
"totalCount" : 3
}

dvarghes · ‎02-26-2020

The following line breaker is not working :

(\},)

dvarghes · ‎02-27-2020

I have tried this in props conf, but not working :

 # props.conf
 [xxxxxxx]
 BREAK_ONLY_BEFORE_DATE = false
 BREAK_ONLY_BEFORE = (\{|\[\s+{)
 MUST_BREAK_AFTER = (\}|\}\s+\])
 SEDCMD-remove_header = s/(\{\s+.+?\[)//g
 SEDCMD-remove_trailing_commas = s/\},/}/g
 SEDCMD-remove_footer = s/\]\s+\}//g

to4kawa · ‎02-27-2020

KV_MODE=JSON
only.
OR
https://answers.splunk.com/answers/802709/make-extractions-in-propsconf-from-search-query.html

dvarghes · ‎02-28-2020

This did not work. All the API response is being considered as a single event.

to4kawa · ‎02-28-2020

spathcan be used single event.
my Q's solution needs LINE_BREAKER

| makeresults 
| eval _raw="{\"links\":[{\"href\":\"https://example.com/api/v2\",\"rel\":\"self\"}],\"results\":[{\"created\":\"2020-02-27T06:14:34Z\",\"eventTypeName\":\"EVENT1\",\"groupId\":\"xxxxx\",\"id\":\"xxxx\",\"isGlobalAdmin\":false,\"links\":[{\"href\":\"https://example.com/api/v2\",\"rel\":\"self\"}]},{\"clusterName\":\"splunk-cluster\",\"created\":\"2020-02-27T06:14:33Z\",\"eventTypeName\":\"EVENT2\",\"groupId\":\"xxxxx\",\"id\":\"xxxxx\",\"isGlobalAdmin\":false,\"links\":[{\"href\":\"https://example.com/api/v2\",\"rel\":\"self\"}]},{\"created\":\"2020-02-27T06:14:32Z\",\"eventTypeName\":\"EVENT3\",\"groupId\":\"xxxxxx\",\"id\":\"xxxxxx\",\"isGlobalAdmin\":false,\"links\":[{\"href\":\"https://example.com/api/v2\",\"rel\":\"self\"}],\"remoteAddress\":\"xx.xx.xx.xx\",\"userId\":\"xxxxxx\",\"username\":\"Sam-test\"}],\"totalCount\":3}"
| spath

your JSON is valid JSON. KV_MODE=JSON will run.
maybe, your props.conf has extra line breakers, so it's not work.

Break individual events from json array

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor