I am indexing json files. Each file contains an array of around 1,000 json objects (with nested arrays/objects). I need to extract each object as a single event. (See sample json source and props.conf below).
I use the "add data" button on the UI to index the file, it looks like it gets all the events. If I just do a search for all the events, the first json object does show up. However, it looks like the KV_MODE=json stumbles on the initial [ and is unable to extract the fields. Because if I search for one of the fields in the data *(index=foo coach="matt")*, the event is not returned. However, if I search for just the value of the field *(index=foo matt), the event is returned.
How do I modify my props.conf to correctly handle the first object in the array?
[
{
"team" : "spirit",
"coach": "matt",
"regDate": "2016-07-31T12:23:34Z",
"players": [
{
"name":"Marissa",
"positions": ["2B", "P", "C", "RF"]
},
{
"name":"Sierra",
"positions": ["SS","LF"]
}
]
},
{
"team" : "chill",
"coach": "bob"
"regDate": "2016-08-01T12:15:19Z",
"players": [
{
"name":"Rhi",
"positions": ["3B", "CF","1B"]
}
]
}
]
This is my props.conf:
[json_linebreaker]
JSON_TRIM_BRACES_IN_ARRAY_NAMES=true
KV_MODE=json
LINE_BREAKER=\s{4}\},(,[\n\r])\s{4}\{(.*)
MAX_TIMESTAMP_LOOKAHEAD=30
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TIME_FORMAT=%Y-%m-%dT%H:%M:%S%Z
TIME_PREFIX=regDate\"\s*:\s*\"
↧