TA Zeek JSON Parsing app icon

TA Zeek JSON Parsing

Splunk Technology Add-on for parsing newline-delimited Zeek JSON logs into individual events with correct JSON field extraction.

Built by
splunk product badge
screenshot
Latest Version 1.0.0
March 26, 2026
Compatibility
Splunk Enterprise, Splunk Cloud
Platform Version: 10.3, 10.2, 10.1, 10.0, 9.4, 9.3, 9.2, 9.1
Rating

0

(0)

Log in to rate this app
Support
TA Zeek JSON Parsing support icon
Developer Supported addon
TA Zeek JSON Parsing is a lightweight Splunk Technology Add-on for Zeek logs in newline-delimited JSON format. It solves a common ingestion problem where multiple JSON events can be treated as grouped text unless proper event breaking is applied before JSON field extraction. This add-on defines a dedicated `zeek_json` sourcetype with line-breaking and JSON parsing settings so Splunk can split each JSON object into its own event and extract fields correctly. It is intended for deployment on the parsing tier, such as a heavy forwarder or indexer, where event breaking occurs.

Categories

Security, Fraud & Compliance, SIEM

Created By

Kaled Aljebur

Type

addon

Downloads

3

Licensing

Apache License Version 2.0(Opens new window)

Splunk Answers

Ask a question about this app listing(Opens new window)

Resources

Log in to report this app listing