Reputation: 6030
Simple concatenated json line breaker in Splunk
I know this is probably simple, but for some reason I am able to get a line breaker working in Splunk. I am fetching a data source from AWS S3, and multiple events in JSON format are concatenated. e.g.
{"key":"value", {"composite":"result"}}{"something":"else"}
So LINE_BREAKER should match on }{ with the left brace included.
I have SHOULD_LINEMERGE=false and then LINE_BREAKER=(\{.+\})\{ but i loose the closing bracket. The }{ don't have any characters between them (not even a newline), what is the best way to split these?
Upvotes: 0
Views: 1442
Answers (1)
Reputation: 9926
The LINE_BREAKER attribute requires a capture group, but discards the text that matches the capture group. The solution is to be more creative with the regex.
LINE_BREAKER=\}()\{
Empty capture groups are allowed.
Your comments confuse matters. Are events separated by }{ or by {"key"? The value of LINE_BREAKER should be set to whatever separates events. Once you've established that then you can address the TRUNCATE setting.
Upvotes: 1
Related Questions
- Splunk: Configure inputs.conf to parse only JSON files
- splunk : json spath extract
- How to extract fields from an escaped JSON(nested) in splunk?
- Splunk query for javascript object to JSON string
- Splunk : Extracting the elements from JSON structure as separate fields
- Print String array of a json payload in splunk
- how do I parse a JSON file to SPLUNK?
- Splunk not recognizing regex
- Unable to extract JSON fields in Splunk
- How to forward sub-json object to splunk indexer