4

I am passing a JSON array object in the HTTP POST as

[{"level":"INFO","data": "Test 1"},{"level":"INFO","data": "Test 2"}]

This message is seen as 1 object/log message in SumoLogic. How can I tell SumoLogic to consider each JSON object as an independent object and show 2 log messages instead of one?

diogo
  • 3,769
  • 1
  • 24
  • 30
user1722043
  • 145
  • 3
  • 11

2 Answers2

5

I believe this can't be done with the json operator. But, have a look at the docs for the "parse regex" operator. There's an option called "multi" which creates a new message for each match of the regex. In your case, something like this might do the trick:

parse regex "\{?<fieldname>.*?\}" multi

I didn't try this in the product itself, but here is Regex101 link to play with the regex.

Christian Beedgen
  • 156
  • 1
  • Here's an example I used to parse some JSON `| parse regex field=event "\"fieldName\":\s*\"(?.*?)\"" multi` – jocull Jun 21 '23 at 18:13
0

I believe the actual answer to this is to not send your logs as an array. Instead include each json object in your body with a '\n' at the end for Sumo to consider these as individual log messages.

{"level":"INFO","data": "Test 1"}\n
{"level":"INFO","data": "Test 2"}\n
Ben Tidman
  • 2,129
  • 17
  • 30