I am using API to fetch the JSON logs and sending JSON output to Splunk. Props.conf is on the search head.
I am seeing the intermittent issues of not splitting the JSON logs even though I am sending one by one JSON objects via scripting.
Json payload :
{"test": "emailid", "remote": "13.17.14.2", "guide": "05773-56-C2-E9", "test1": "testing", "date": "2019-12-13T19:05:03.836+00:00", "sessionID": "abc1"}
{"remote": "13.7.4.28", "guide": "05773-56-C2-E9", "test1": "testing", "date": "2019-12-13T19:05:03.836+00:00", "sessionID": "abc1"}
Props.conf is :
INDEXED_EXTRACTIONS = JSON
BREAK_ONLY_BEFORE_DATE=false
BREAK_ONLY_BEFORE=(\{\"|\"\})
MUST_BREAK_AFTER=\"\}
Please guide.
I tried including SHOULD_LINEMERGE = false
But it didnt work.
... View more