Hello
Im trying to split a json Array into multiple Events in the props.conf
Whats the best way to do this?
Here is the json example:
{
"Applications": [
{
"outputname": "Adobe Flash Player",
"version": "19.0.0.185",
},
{
"outputname": "Adobe Reader",
"version": "1.2.3"
},
{
"outputname": "Attachmate Reflection X",
"version": "14.1.1217",
}
],
"TIMESTAMP": "2016-03-07 09:03:43"
}
What should the props.conf look like to split such a file?
thank you for your suggestions.
There is no props.conf that will split that correctly into other JSON objects. You will need to pre-process with a script or modular input to achieve that.
However, there is a search hack you can do to make reports on the data.
<your_search> | rename Applications{}.* as * | eval z = mvzip(outputname, version) | mvexpand z | eval z = split(z, ",") | eval outputname=mvindex(z,0), version = mvindex(z,1) | stats count by outputname, version
This will allow you to make reports based on the current JSON event.
There is no props.conf that will split that correctly into other JSON objects. You will need to pre-process with a script or modular input to achieve that.
However, there is a search hack you can do to make reports on the data.
<your_search> | rename Applications{}.* as * | eval z = mvzip(outputname, version) | mvexpand z | eval z = split(z, ",") | eval outputname=mvindex(z,0), version = mvindex(z,1) | stats count by outputname, version
This will allow you to make reports based on the current JSON event.
I know the way with mvzip/mvexpand, but i thought that there is an easier way. We did some tests with SEDCMD in the props.conf, but im not really satisfied with the results
What do you mean with "pre-process with a script or modular input to achieve that" ?
Should i rewrite the script which is writing the json file to only log each arrayline as single Event?
Yes, If you have a script writing out that JSON object, put each item in it's own line. You can put them all in the same file, but Splunk will read them in as individual events.
{ "TIMESTAMP":"2016-03-07 09:03:43", "outputname": "Attachmate Reflection X", "version": "14.1.1217" }
{ "TIMESTAMP":"2016-03-07 09:03:43", "outputname": "Adobe Reader", "version": "1.2.3" }
I like this approach, i'll give it a try.. Thanks 🙂
Do you see any issues with ingesting this json array (which also has non-array element (timestamp)) as full event in Splunk? Splunk will convert this json array values to multivalued field and you should be able to report on them easily.