I have file called "30 Jan 2020.json" that contains 2 records:
[
{
"Sender": "John",
"Recipient": "Alice",
"Subject": "Hello",
"MessageDate": "10 Jan 2020"
},
{
"Sender": "Jane",
"Recipient": "Bob",
"Subject": "Holiday"
"MessageDate": "15 Jan 2020"
}
]
My props.conf file is
[_json_for_azure]
INDEXED_EXTRACTIONS = json
KV_MODE = json
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Structured
description = JavaScript Object Notation format. For more information, visit http://json.org/
disabled = false
pulldown_type = 1
and in inputs.conf I specified
[mscs_storage_blob://mycontainer]
account = mycontainername
blob_mode = append
collection_interval = 60
container_name = mycontainer
sourcetype = mscs:storage:json
But when this data is ingested, I only get entries called _Time, and when I expand any of them, they show all records json as single string as row. I want the actual data such as each Sender, Recipient, Subject to be ingested as individual entries. So when I search for individual sender such as John, I want only the single row to be returned, rather than returning whole file contents. This is the behaviour when using Azure Splunk plugin. When I loaded the file directly via "Add data" option from the main menu, the file is parsed correctly with individual entries.