Hi,
I am facing an issue while using a REST API source (Cohesity audit logs).
The API returns a valid JSON response in this format:
However, in Cribl preview/capture, the data is not coming as a single complete JSON object. Instead:
- One event contains the correct full JSON
- Other events are split fragments (starting mid-string, not valid JSON)
Example behavior:
- Event 1 → valid JSON object (
{"auditLogs": [...]}) - Event 2+ → partial JSON fragments (missing opening
{, starting inside fields)
Because of this:
JSON.parse(_raw)fails or behaves inconsistently- JSON Unroll cannot work reliably
- Derived fields (e.g., TimeGenerated) are null
- Parsing becomes impossible for many events
Observations:
cribl_breakershowsOData JSON:single-object- Sometimes fallback behavior is applied
- Custom event breaker with JSON Array also did not produce consistent results
- Pipeline-level filtering/parsing only works partially because upstream data is already fragmented
Question
How can we ensure that the REST API response is treated as a single intact JSON event before parsing?
Specifically:
- How to prevent Cribl from splitting a valid JSON body into fragments?
- What is the correct event breaker configuration for a wrapper JSON with an array (not standard OData format)?
- Is there a recommended approach for handling large JSON responses in REST Collector?
Thanks.