https://community.splunk.com/t5/Getting-Data-In/How-can-I-fix-this-so-that-it-pulls-in-the-timefield-correctly/m-p/641077#M109357 <P>I have events like so:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="javascript">{"action": {"result": true, "type": "login"}, "actor": {"email": "test.email@domain.tld", "id": "0123456789abcdef0123456789abcdef", "ip": "1.2.3.4", "type": "user"}, "id": "01234567-89ab-cdef-0123-456789abcdef", "newValue": "audit", "oldValue": "review", "owner": {"id": "fedcba9876543210fedcba9876543210"}, "when": "2023-04-21T18:52:32Z", "account_name": "test_account"}</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>The props.conf file is as so:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">[cloudflare_audit] NO_BINARY_CHECK=true INDEXED_EXTRACTIONS=JSON TIMESTAMP_FIELDS=when disabled=false pulldown_type=true</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>When I do this, I wind up with two records per event, <EM>split</EM> at that TIME_PREFIX setting, each record with the time found in "when".</P> <P>Things I've tried so far, based on the above:</P> <UL> <LI>Adding "KV_MODE=none" -- The event is parsed as JSON, but the time is ignored</LI> <LI>Adding "TIME_PREFIX=when": "" and LINE_BREAKER=}$ -- The event is split on "when", again</LI> <LI>Removing "INDEXED_EXTRACTIONS=true" and adding "AUTO_KV_JSON=true" -- The event is parsed as JSON, but the time is ignored</LI> </UL> <P>Two questions:</P> <OL> <LI>How can I fix this so that it pulls in the timefield correctly, without any splitting of the JSON object?</LI> <LI>Why is it so difficult to ingest JSON logs?</LI> </OL> Tue, 09 May 2023 06:28:13 GMT CMSchelin 2023-05-09T06:28:13Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-fix-this-so-that-it-pulls-in-the-timefield-correctly/m-p/641077#M109357 <P>I have events like so:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="javascript">{"action": {"result": true, "type": "login"}, "actor": {"email": "test.email@domain.tld", "id": "0123456789abcdef0123456789abcdef", "ip": "1.2.3.4", "type": "user"}, "id": "01234567-89ab-cdef-0123-456789abcdef", "newValue": "audit", "oldValue": "review", "owner": {"id": "fedcba9876543210fedcba9876543210"}, "when": "2023-04-21T18:52:32Z", "account_name": "test_account"}</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>The props.conf file is as so:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">[cloudflare_audit] NO_BINARY_CHECK=true INDEXED_EXTRACTIONS=JSON TIMESTAMP_FIELDS=when disabled=false pulldown_type=true</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>When I do this, I wind up with two records per event, <EM>split</EM> at that TIME_PREFIX setting, each record with the time found in "when".</P> <P>Things I've tried so far, based on the above:</P> <UL> <LI>Adding "KV_MODE=none" -- The event is parsed as JSON, but the time is ignored</LI> <LI>Adding "TIME_PREFIX=when": "" and LINE_BREAKER=}$ -- The event is split on "when", again</LI> <LI>Removing "INDEXED_EXTRACTIONS=true" and adding "AUTO_KV_JSON=true" -- The event is parsed as JSON, but the time is ignored</LI> </UL> <P>Two questions:</P> <OL> <LI>How can I fix this so that it pulls in the timefield correctly, without any splitting of the JSON object?</LI> <LI>Why is it so difficult to ingest JSON logs?</LI> </OL> Tue, 09 May 2023 06:28:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-fix-this-so-that-it-pulls-in-the-timefield-correctly/m-p/641077#M109357 CMSchelin 2023-05-09T06:28:13Z