HI,
i am trying to index a local json file, but when going trough the sourcetype the predefined json source type is not reading the file properly..splunk put everything in one line...no detecting time format or something (see attached file)
then i found that splunk is not indexing separate events because the json file starts with { and ends with } if i removed those character splunk will give me a line per event.
does someone knows how I can remove the { at the beginning and the } at the end with splunk before indexing?
i'm putting this when i go through wizard data inpout local file in the advance section
**SEDCMD-removesymbol = s/^{/g (this is not working)**
thanks
{
"records":
[
{
"time": "2018-05-11T13:29:03Z",
"GatewayId": "4r566-5678-4753-968f-34568",
"Region": "unknown",
"operationName": "ApplicationGatewayAccess",
"category": "ApplicationGatewayAccessLog",
}
,
{
"time": "2018-05-11T13:29:05Z",
"GatewayId": "4r566-ae57-dfg543-968f-xxx45t67",
"Region": "unknown",
"operationName": "ApplicationGatewayAccess",
"category": "ApplicationGatewayAccessLog",
}
}
can someone please help me ?
thanks
↧