Hello All,
Im a newbie to JSON and have pretty much no knowledge in programming. Can someone please assist in splitting the following json into diffrent events (split events). I have removed some details from JSON in compliance with the community rules, and rest of it is pretty much just dummy data.
{
"STATUS":"OK",
"todo-items":[
{
"id":17223591,
"canComplete":true,
"comments-count":0,
"description":"",
"has-reminders":false,
"has-unread-comments":false,
"private":2,
"content":"Map Indexed Data of Windows Servers to Windows Infrastructure App",
"order":2000,
"project-id":353705,
"project-name":"IT18-03-IT Dashboarding System",
"todo-list-id":1533948,
"todo-list-name":"Phase Two",
"tasklist-private":true,
"tasklist-isTemplate":false,
"status":"new",
"company-name":"TECIT",
"company-id":103131,
"creator-id":316954,
"creator-firstname":"3333",
"creator-lastname":"33333",
"completed":false,
"start-date":"20180325",
"due-date-base":"20180415",
"due-date":"20180415",
"created-on":"2018-02-21T05:53:40Z",
"last-changed-on":"2018-03-29T11:41:56Z",
"position":2000,
"estimated-minutes":0,
"priority":"",
"progress":0,
"harvest-enabled":false,
"parentTaskId":"17223590",
"lockdownId":"806894",
"tasklist-lockdownId":"806894",
"has-dependencies":2,
"has-predecessors":0,
"hasTickets":false,
"timeIsLogged":"0",
"attachments-count":0,
"responsible-party-ids":"317122,316954",
"responsible-party-id":"317122,316954",
"responsible-party-names":"Projects T.|3333.",
"responsible-party-type":"Person",
"responsible-party-firstname":"33333",
"responsible-party-lastname":"3333",
"responsible-party-summary":"You + 1 other",
"predecessors":[
],
"parent-task":{
"content":"Customization - Infrastructure Log Monitoring / HW",
"id":"17223590"
},
"canEdit":true,
"viewEstimatedTime":true,
"canLogTime":false,
"userFollowingComments":false,
"userFollowingChanges":false,
"DLM":0
},
{
"id":17223405,
"canComplete":false,
"comments-count":1,
"description":"",
"has-reminders":false,
"has-unread-comments":false,
"private":2,
"content":"fdfdfdfdfdfd",
"order":2000,
"project-id":353705,
"project-name":"asdf",
"todo-list-id":1533948,
"todo-list-name":"Phase Two",
"tasklist-private":true,
"tasklist-isTemplate":false,
"status":"new",
"company-name":"asdasd",
"company-id":103131,
"creator-id":316954,
"creator-firstname":"3333",
"creator-lastname":"333333",
"completed":false,
"start-date":"20180227",
"due-date-base":"20180408",
"due-date":"20180408",
"created-on":"2018-02-21T04:42:49Z",
"last-changed-on":"2018-03-29T10:34:36Z",
"position":2000,
"estimated-minutes":0,
"priority":"",
"progress":0,
"harvest-enabled":false,
"parentTaskId":"17223403",
"lockdownId":"806894",
"tasklist-lockdownId":"806894",
"has-dependencies":2,
"has-predecessors":0,
"hasTickets":false,
"timeIsLogged":"0",
"attachments-count":0,
"responsible-party-ids":"221525",
"responsible-party-id":"221525",
"responsible-party-names":"3333A.",
"responsible-party-type":"Person",
"responsible-party-firstname":"3333",
"responsible-party-lastname":"Al33i",
"responsible-party-summary":"3333A.",
"predecessors":[
],
"parent-task":{
"content":"Work Package 3",
"id":"17223403"
},
"canEdit":false,
"viewEstimatedTime":true,
"canLogTime":false,
"commentFollowerSummary":"You + 2 others",
"commentFollowerIds":"221525,316954,317122",
"userFollowingComments":true,
"userFollowingChanges":false,
"DLM":0
},
Is this just a file on disk, or is it coming from some code somewhere? If so, a few things will need to happen:
1) Strip out the header
2) Define a line breaker
3) Strip out the footer (closing square bracket and curly brace)
This props.conf
may work (it is hard to tell without a complete sample):
[myJSON]
SEDCMD-remove_header = s/^(?:.*\n){1,3}//g
SEDCMD-remove_footer = s/\][\r\n]\s*\}.*$//g
LINE_BREAKER = \}(\s*,[\r\n]\s*)\{
It is a best practice to have some time formatting in your props.conf
also, but I don't see anything that looks like a timestamp.
Thanks for the answer. I am pulling down the json using a curl script and put a continuous monitor in place for this to be injested on to the splunk instance.
In that case, I would recommend using the Splunk Add-on Builder which can automate this for you (and break the events without all that regex mentioned above). Here is a walkthrough -> http://dev.splunk.com/view/addon-builder/SP-CAAAFCA
The updated location of the Splunk Add-on Builder documentation is https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/UseTheApp