I am currently trying to split my json into multiple events at index time into Splunk. Although when I do this it breaks each line into multiple events. I am not good with regex, so I tried using the regex from the answer here
https://answers.splunk.com/answers/289520/how-to-split-a-json-array-into-multiple-events-wit.html
The answer is exactly how I want my output to be.
Heres my props.conf and my sample json
1.
[jsonsourcetype]
SHOULD_LINEMERGE = FALSE
LINE_BREAKER = ((?
↧