I am pulling in JSON files into Splunk from Microsoft Azure. Each JSON files contains multiple events and time stamps.
Below is an example of a JSON file that is being pulled in. When I look into Splunk, I get a single event with 3 different entries for each field extraction listed.
I would like to get 3 different events based on the eventTimestamp and data for each event.
Is there a way to do this on the Universal Forwarder or in props.conf?
If so, could someone provide some guidance.
Note: I have the sourcetype = _json in the inputs.conf on the universal forwarder pulling this information.
{
"Records": [
{
"authorization": {
"action": "Microsoft.Authorization/roleAssignments/write",
"scope": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/default/providers/Microsoft.Network/virtualNetworks/network1/subnets/subnet1/providers/Microsoft.Authorization/roleAssignments/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
},
"eventTimestamp": "2017-01-05T22:17:19.4925915Z",
"submissionTimestamp": "2017-01-05T22:17:40.0170745Z",
"subscriptionId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
},
{
"authorization": {
"action": "Microsoft.Authorization/roleAssignments/write",
"scope": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/default/providers/Microsoft.Network/virtualNetworks/network1/subnets/subnet1/providers/Microsoft.Authorization/roleAssignments/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
},
"eventTimestamp": "2017-01-05T22:17:20.4925915Z",
"submissionTimestamp": "2017-01-05T22:17:40.0170745Z",
"subscriptionId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
},
{
"authorization": {
"action": "Microsoft.Authorization/roleAssignments/write",
"scope": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/default/providers/Microsoft.Network/virtualNetworks/network1/subnets/subnet1/providers/Microsoft.Authorization/roleAssignments/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
},
"eventTimestamp": "2017-01-05T22:17:22.9768133Z",
"submissionTimestamp": "2017-01-05T22:17:40.0141995Z",
"subscriptionId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
]
}
↧