How to split the following JSON into different eve...

ranjitbrhm1 · ‎04-18-2018

Hello All,
Im a newbie to JSON and have pretty much no knowledge in programming. Can someone please assist in splitting the following json into diffrent events (split events). I have removed some details from JSON in compliance with the community rules, and rest of it is pretty much just dummy data.

{  
   "STATUS":"OK",
   "todo-items":[  
      {  
         "id":17223591,
         "canComplete":true,
         "comments-count":0,
         "description":"",
         "has-reminders":false,
         "has-unread-comments":false,
         "private":2,
         "content":"Map Indexed Data of Windows Servers to Windows Infrastructure  App",
         "order":2000,
         "project-id":353705,
         "project-name":"IT18-03-IT Dashboarding System",
         "todo-list-id":1533948,
         "todo-list-name":"Phase Two",
         "tasklist-private":true,
         "tasklist-isTemplate":false,
         "status":"new",
         "company-name":"TECIT",
         "company-id":103131,
         "creator-id":316954,
         "creator-firstname":"3333",
         "creator-lastname":"33333",
         "completed":false,
         "start-date":"20180325",
         "due-date-base":"20180415",
         "due-date":"20180415",
         "created-on":"2018-02-21T05:53:40Z",
         "last-changed-on":"2018-03-29T11:41:56Z",
         "position":2000,
         "estimated-minutes":0,
         "priority":"",
         "progress":0,
         "harvest-enabled":false,
         "parentTaskId":"17223590",
         "lockdownId":"806894",
         "tasklist-lockdownId":"806894",
         "has-dependencies":2,
         "has-predecessors":0,
         "hasTickets":false,
         "timeIsLogged":"0",
         "attachments-count":0,
         "responsible-party-ids":"317122,316954",
         "responsible-party-id":"317122,316954",
         "responsible-party-names":"Projects T.|3333.",
         "responsible-party-type":"Person",
         "responsible-party-firstname":"33333",
         "responsible-party-lastname":"3333",
         "responsible-party-summary":"You + 1 other",
         "predecessors":[  

         ],
         "parent-task":{  
            "content":"Customization - Infrastructure Log Monitoring / HW",
            "id":"17223590"
         },
         "canEdit":true,
         "viewEstimatedTime":true,
         "canLogTime":false,
         "userFollowingComments":false,
         "userFollowingChanges":false,
         "DLM":0
      },
      {  
         "id":17223405,
         "canComplete":false,
         "comments-count":1,
         "description":"",
         "has-reminders":false,
         "has-unread-comments":false,
         "private":2,
         "content":"fdfdfdfdfdfd",
         "order":2000,
         "project-id":353705,
         "project-name":"asdf",
         "todo-list-id":1533948,
         "todo-list-name":"Phase Two",
         "tasklist-private":true,
         "tasklist-isTemplate":false,
         "status":"new",
         "company-name":"asdasd",
         "company-id":103131,
         "creator-id":316954,
         "creator-firstname":"3333",
         "creator-lastname":"333333",
         "completed":false,
         "start-date":"20180227",
         "due-date-base":"20180408",
         "due-date":"20180408",
         "created-on":"2018-02-21T04:42:49Z",
         "last-changed-on":"2018-03-29T10:34:36Z",
         "position":2000,
         "estimated-minutes":0,
         "priority":"",
         "progress":0,
         "harvest-enabled":false,
         "parentTaskId":"17223403",
         "lockdownId":"806894",
         "tasklist-lockdownId":"806894",
         "has-dependencies":2,
         "has-predecessors":0,
         "hasTickets":false,
         "timeIsLogged":"0",
         "attachments-count":0,
         "responsible-party-ids":"221525",
         "responsible-party-id":"221525",
         "responsible-party-names":"3333A.",
         "responsible-party-type":"Person",
         "responsible-party-firstname":"3333",
         "responsible-party-lastname":"Al33i",
         "responsible-party-summary":"3333A.",
         "predecessors":[  

         ],
         "parent-task":{  
            "content":"Work Package 3",
            "id":"17223403"
         },
         "canEdit":false,
         "viewEstimatedTime":true,
         "canLogTime":false,
         "commentFollowerSummary":"You + 2 others",
         "commentFollowerIds":"221525,316954,317122",
         "userFollowingComments":true,
         "userFollowingChanges":false,
         "DLM":0
      },

jconger · ‎04-18-2018

Is this just a file on disk, or is it coming from some code somewhere? If so, a few things will need to happen:

1) Strip out the header
2) Define a line breaker
3) Strip out the footer (closing square bracket and curly brace)

This props.conf may work (it is hard to tell without a complete sample):

[myJSON]
SEDCMD-remove_header = s/^(?:.*\n){1,3}//g
SEDCMD-remove_footer = s/\][\r\n]\s*\}.*$//g
LINE_BREAKER = \}(\s*,[\r\n]\s*)\{

It is a best practice to have some time formatting in your props.conf also, but I don't see anything that looks like a timestamp.

ranjitbrhm1 · ‎04-18-2018

Thanks for the answer. I am pulling down the json using a curl script and put a continuous monitor in place for this to be injested on to the splunk instance.

jconger · ‎04-18-2018

In that case, I would recommend using the Splunk Add-on Builder which can automate this for you (and break the events without all that regex mentioned above). Here is a walkthrough -> http://dev.splunk.com/view/addon-builder/SP-CAAAFCA

nkaplan_splunk · ‎02-19-2020

The updated location of the Splunk Add-on Builder documentation is https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/UseTheApp

How to split the following JSON into different events?

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?