I am using a simple receiver to upload some lines of JSON. The input file has one JSON object (hash) per line, terminated with a newline. When I upload 12 JSON objects, they report as 10 events. In the cases where I get the 2-for-1 behavior, there is an Object (hash) that embeds another Object (hash) in the second of the two lines. For example, these two lines come back as one event:
{"sstime":1411843443,"value":"151236","event_id":"_view_","d1":"eng","d2":"primary","device_time":"2014-09-27 18:44:03","obj_type":"v","format":"2","rev":"1","version":"1.2.15","device_id":"86ec200468586be","appl_id":15204}
{"sstime":1411843443,"value":{"url":"local_data_53786/eng_welcome_primary.mp3","name":"welcome_primary"},"event_id":"_audiostart_","d1":"eng","d2":"primary","device_time":"2014-09-27 18:44:04","obj_type":"","audio_url":"local_data_53786/eng_welcome_primary.mp3","audio_name":"welcome_primary","format":"2","rev":"1","version":"1.2.15","device_id":"86ec200468586be","appl_id":15204}
As you can see, the second Object has a key with the name "value" that defines a subordinate Object. All the problem lines, are like this pair. Does anyone know how to get Splunk to recognize these are two events?
... View more