I am trying to break one big json event into several events, eventually 1080, but in the example below there would be 5 events
I know I need to create a props.conf
This is what I have so far, but it is not working
[me_json]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)agent_installed_dir
TIME_PREFIX = process_end_time:\s+
TIME_FORMAT = %s%3N
This is a sample of the event, with real data (systems/IPs) removed
{ [-]
message_response: { [-]
limit: 5
page: 1
scancomputers: [ [-]
{ [-]
agent_installed_dir: C:\Program Files (x86)\DesktopCentral_Agent\
agent_installed_on: 1535659874922
agent_last_contact_time: 1571069154000
agent_logged_on_users: blah
agent_version: 10.0.362.W
branch_office_name: my Computers
build_number: 18362.418
computer_live_status: 1
computer_status_update_time: 1570734355370
description: --
domain_netbios_name: mydomain
error_kb_url: --
installation_status: 22
ip_address: 10.100.1.1
last_successful_scan: 1570718183654
last_sync_time: 1571072071009
mac_address: xx:xx:xx:xx:xx:xx
os_platform: 1
os_version: 10.0.18362
osflavor_id: 0
process_end_time: 1570718183654
process_start_time: 1569940581295
resource_id: 3373
resource_name: blah_blah1
scan_remarks: dc.common.SCANNING_COMPLETED
scan_remarks_en: Scanning Completed
scan_status: 2
service_pack: Windows 10 Version 1903 (x64)
service_pack_major_version: 0
service_pack_minor_version: 0
software_name: Windows 10 Professional Edition (x64)
status_label: dc.db.som.status.installed_successfully
}
{ [-]
agent_installed_dir: C:\Program Files (x86)\DesktopCentral_Agent\
agent_installed_on: 1535662084385
agent_last_contact_time: 1571070178000
agent_logged_on_users: --
agent_version: 10.0.362.W
branch_office_name: my Computers
build_number: 7601.24524
computer_live_status: 1
computer_status_update_time: 1570737696974
description: --
domain_netbios_name: mydomain
error_kb_url: --
installation_status: 22
ip_address: 10.100.1.2
last_successful_scan: 1570716193151
last_sync_time: 1571072071009
mac_address: xx:xx:xx:xx:xx:xx
os_platform: 1
os_version: 6.1.7601
osflavor_id: 0
process_end_time: 1570716193151
process_start_time: 1569573982199
resource_id: 3539
resource_name: blah_blah2
scan_remarks: dc.common.SCANNING_COMPLETED
scan_remarks_en: Scanning Completed
scan_status: 2
service_pack: Windows 7 SP1 (x64)
service_pack_major_version: 1
service_pack_minor_version: 0
software_name: Windows 7 Professional Edition (x64)
status_label: dc.db.som.status.installed_successfully
}
{ [+]
}
{ [+]
}
{ [+]
}
]
total: 1080
}
message_type: scancomputers
message_version: 1.0
status: success
}
↧