Re: JSON event breaks not working - sometimes

Branden · ‎01-05-2018

I have a log file of properly formatted JSON events, but the event break is not working properly. Sometimes it separates the JSON into separate events, sometimes it does not. There doesn't seem to be any rhyme or reason to this.

I tried the solution here: https://answers.splunk.com/answers/80741/event-break-json.html but it did not work. I am unable to restart Splunk at this time, however, but my understanding is that I shouldn't need to. (Please correct me if I'm wrong.)

Here's my props.conf entry:

[s-web]
KV_MODE = json
LINE_BREAKER = "(^){"
NO_BINARY_CHECK = 1
TRUNCATE = 0
SHOULD_LINEMERGE = false

Here's a sample event:

{"pid":17156,"hostname":"sub.hostname.com","name":"s-undefined","level":30,"time":1515143225539,"remoteAddr":"::ffff:99.99.99.99","remoteAddrs":[],"method":"GET","url":"/","sessionId":"abcd2b32-00e8-4e0b-97f6-23abcdef3233e","v":1}

Am I missing something here?

Thank you in advance for your assistance!

mayurr98 · ‎01-05-2018

hey @Branden

If you just care about breaking the event correctly then you could use the following

[s-web]
BREAK_ONLY_BEFORE = \{\"pid\"

and thereafter restart splunkd
Let me know if this helps you!

Branden · ‎01-05-2018

I will need to schedule the restart of splunkd. I will let you know how it goes!

somesoni2 · ‎01-05-2018

Try with this (keep the rest of the settings)

 LINE_BREAKER = ([\r\n]+)(?=\{\s*\"pid\")

Branden · ‎01-05-2018

Unfortunately, that did not help.
Is it possible I simply need to restart Splunk after making the props.conf change?

somesoni2 · ‎01-05-2018

Yes.. you do need a restart for that change to take effect.

JSON event breaks not working - sometimes

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases