topic Re: Pls help: JSON timestamp parsing in Getting Data In

JSON timestamp parsing- When events are being fed from UF, the timestamp can't be extracted?

stwong — Tue, 20 Dec 2022 14:11:10 GMT

Hi all,

I use following simple props.conf to some json type events:

[my:sourcetype]
category = Structured
DATETIME_CONFIG =
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
INDEXED_EXTRACTIONS=json
TIME_FORMAT=%s
disabled=false
pulldown_type=true
SHOULD_LINEMERGE=false
TIMESTAMP_FIELDS=timestamp

The event looks like following:

{"access_device": {"browser": "Edge Chromium", "browser_version": "108.0.1462.54", "epkey": null, "flash_version": "uninstalled", "hostname": null, "ip": "192.168.182.230", "is_encryption_enabled": "unknown", "is_firewall_enabled": "unknown", "is_password_set": "unknown", "java_version": "uninstalled", "location": {"city": "Bestine", "country": "Tatooine", "state": "Central and Western District"}, "os": "Windows", "os_version": "10"}, "adaptive_trust_assessments": {}, "alias": "unknown", "application": {"key": "ABCDEFG1234567", "name": "[UAT] Hello World App"}, "auth_device": {"ip": null, "key": null, "location": {"city": null, "country": null, "state": null}, "name": null}, "email": null, "event_type": "authentication", "factor": "not_available", "isotimestamp": "2022-12-20T09:14:08.755759+00:00", "ood_software": null, "reason": "allow_unenrolled_user", "result": "success", "timestamp": 1671527648, "txid": "c571233d-b357-3f07-e126-ca2623b8e0d9", "user": {"groups": [], "key": null, "name": "luke"}, "eventtype": "authentication", "host": "jedi1.mydomain.com"}

It works when i test it through upload log file by setting sourcetype to my:sourcetype. Fields and timestamp can be extracted.

However, when events are being fed from UF, the timestamp can't be extracted and using the file modified time as timestamp instead.

Tried to add 'TIME_PREFIX=timestamp": ' but didn't help.

Would anyone please help?

Thanks and Regards

Re: Pls help: JSON timestamp parsing

wmazur-splunk — Tue, 20 Dec 2022 13:46:45 GMT

1. https://community.splunk.com/t5/Getting-Data-In/how-to-set-TIME-PREFIX-for-a-json-file/m-p/464284

(so, I guess TIME_PREFIX = authdevice.timestamp )

2. You may also need TIME_FORMAT = %s (https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/Configuretimestamprecognition#Enhanced_strptime.28.29_support)

Re: JSON timestamp parsing- When events are being fed from UF, the timestamp can't be extracted?

richgalloway — Tue, 20 Dec 2022 14:43:58 GMT

It sounds like Splunk is not finding the right timestamp field when the data comes from the UF. Verify inputs.conf on the UF has the right sourcetype value.

The TIME_PREFIX setting you tried is ambiguous. The first match is "isotimestamp" which has a value that is not an epoch timestamp and Splunk perhaps doesn't find an epoch in the next MAX_TIMESTAMP_LOOKAHEAD characters. Try this setting

TIME_PREFIX = "timestamp":

Re: JSON timestamp parsing- When events are being fed from UF, the timestamp can't be extracted?

stwong — Wed, 21 Dec 2022 04:03:36 GMT

Hi all,

Thanks for your help.

Found that the problem is caused by putting some settings in props.conf in the wrong place.
The problem is resolved after putting following on the UF:

INDEXED_EXTRACTIONS = json
TIMESTAMP_FIELDS = timestamp

and put KV_MODE=none on search head.

I have mistaken that index extraction always occurs on indexer which seems depends, based on this:
https://www.aplura.com/assets/pdf/where_to_put_props.pdf

Thanks again.

Best Rgds