https://community.splunk.com/t5/Getting-Data-In/Splunk-parsing/m-p/688442#M114649 <P>Hello Splunkers!!</P><P>I want to ingest below two pattern of events in Splunk and both are in json logs but there timestamp are different. So far I have used below attributes in my props.conf. Please let me know or suggest me if any any other attribute I need to add so my both the pattern of events parse smoothly without any time difference..</P><P>&nbsp;</P><P>[exp_json]<BR />AUTO_KV_JSON = false<BR />DATETIME_CONFIG =<BR />INDEXED_EXTRACTIONS = json<BR />KV_MODE = none<BR />LINE_BREAKER = ([\r\n]+)<BR />NO_BINARY_CHECK = true<BR />TIME_PREFIX = \"time\"\:\"<BR />category = Custom<BR />pulldown_type = true</P><P><BR /><STRONG>Pattern 1:</STRONG><BR />{"datacontenttype":"application/json","data":{"identificationStatus":"NO_IDENTIFICATION_ATTEMPTED","location":"urn:topology:segment:1103.20.15-1103.20.19","carrierId":null,"trackingId":"dc268ac7-168a-11ef-b02a-1feae60bb414"},"subject":"CarrierPositionUpdate","messages":[],"specversion":"1.0","classofpayload":"com.vanderlande.conveyor.boundary.event.business.outbound.CarrierPositionUpdate","id":"8252fb03-2eb2-4619-a59b-24e3280f9bda","source":"conveyor",<STRONG>"time":"2024-05-20T09:29:53.361800Z"</STRONG>,"type":"CarrierPositionUpdate"}</P><P><STRONG>Pattern 2:</STRONG><BR />{"data":{"physicalId":"60040160041570014272","carrierTypeId":"18","carrierId":"60040160041570014272","prioritizedDestinations":[{"name":"urn:topology:location:Pallet Loop (DEP):OBD/Returnflow:Exit01","priority":1},{"name":"urn:topology:location:Pallet Loop (DEP):OBD/Returnflow:Exit02","priority":1}],"transportOrderId":"TO_00001399"},"topic":"transport-order-commands-conveyor","specversion":"1.0",<STRONG>"time":"2024-05-22T18:02:16.669Z"</STRONG>,"id":"34A0DF56-B0B2-4A73-9D7B-034A94D49747","type":"AssignTransportOrder"}<BR /><BR />Thanks in advance!!</P> Thu, 23 May 2024 10:41:38 GMT uagraw01 2024-05-23T10:41:38Z https://community.splunk.com/t5/Getting-Data-In/Splunk-parsing/m-p/688442#M114649 <P>Hello Splunkers!!</P><P>I want to ingest below two pattern of events in Splunk and both are in json logs but there timestamp are different. So far I have used below attributes in my props.conf. Please let me know or suggest me if any any other attribute I need to add so my both the pattern of events parse smoothly without any time difference..</P><P>&nbsp;</P><P>[exp_json]<BR />AUTO_KV_JSON = false<BR />DATETIME_CONFIG =<BR />INDEXED_EXTRACTIONS = json<BR />KV_MODE = none<BR />LINE_BREAKER = ([\r\n]+)<BR />NO_BINARY_CHECK = true<BR />TIME_PREFIX = \"time\"\:\"<BR />category = Custom<BR />pulldown_type = true</P><P><BR /><STRONG>Pattern 1:</STRONG><BR />{"datacontenttype":"application/json","data":{"identificationStatus":"NO_IDENTIFICATION_ATTEMPTED","location":"urn:topology:segment:1103.20.15-1103.20.19","carrierId":null,"trackingId":"dc268ac7-168a-11ef-b02a-1feae60bb414"},"subject":"CarrierPositionUpdate","messages":[],"specversion":"1.0","classofpayload":"com.vanderlande.conveyor.boundary.event.business.outbound.CarrierPositionUpdate","id":"8252fb03-2eb2-4619-a59b-24e3280f9bda","source":"conveyor",<STRONG>"time":"2024-05-20T09:29:53.361800Z"</STRONG>,"type":"CarrierPositionUpdate"}</P><P><STRONG>Pattern 2:</STRONG><BR />{"data":{"physicalId":"60040160041570014272","carrierTypeId":"18","carrierId":"60040160041570014272","prioritizedDestinations":[{"name":"urn:topology:location:Pallet Loop (DEP):OBD/Returnflow:Exit01","priority":1},{"name":"urn:topology:location:Pallet Loop (DEP):OBD/Returnflow:Exit02","priority":1}],"transportOrderId":"TO_00001399"},"topic":"transport-order-commands-conveyor","specversion":"1.0",<STRONG>"time":"2024-05-22T18:02:16.669Z"</STRONG>,"id":"34A0DF56-B0B2-4A73-9D7B-034A94D49747","type":"AssignTransportOrder"}<BR /><BR />Thanks in advance!!</P> Thu, 23 May 2024 10:41:38 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-parsing/m-p/688442#M114649 uagraw01 2024-05-23T10:41:38Z https://community.splunk.com/t5/Getting-Data-In/Splunk-parsing/m-p/688446#M114653 <P>Ideally, these should be ingested as different sourcetypes so that different parsing can be associated with the different formats.</P> Thu, 23 May 2024 10:51:00 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-parsing/m-p/688446#M114653 ITWhisperer 2024-05-23T10:51:00Z https://community.splunk.com/t5/Getting-Data-In/Splunk-parsing/m-p/688452#M114658 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp; I am not using&nbsp; TIME_FORMAT attribute here, then probably it should work ? Please share your thoughts.</P> Thu, 23 May 2024 11:09:23 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-parsing/m-p/688452#M114658 uagraw01 2024-05-23T11:09:23Z https://community.splunk.com/t5/Getting-Data-In/Splunk-parsing/m-p/688455#M114660 <P>As I said, these look like two different sourcetypes and should be treated as such</P> Thu, 23 May 2024 11:18:22 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-parsing/m-p/688455#M114660 ITWhisperer 2024-05-23T11:18:22Z