Hello, I'm having problems parsing our client's json events. But when I add them locally with the Add data menu it works just fine. Even if I index them, I search on my test index and the parsing works fine.
I tried doing that in our client's environment, I had the same result, in add data works fine, but the events start to break. (my ST is present at every component, UF, indexer and SH)
I think it may be some limits configuration related thing, not sure if the problem is in the UF, in the indexer, or in the SH.
here is my sourcetype:
[my_st]
BREAK_ONLY_BEFORE = ^{
NO_BINARY_CHECK = true
TIME_FORMAT = "%Y-%m-%dT%H:%M:%S.%Q"
TIME_PREFIX = \"(?:inicio|timestamp)\"\:\s?\s?\s?
category = Structured
disabled = false
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 25
LINE_BREAKER = ^{
MAX_EVENTS = 999999
TRUNCATE = 0
Thanks!
↧
