<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Extracting Timestamps from JSON logs in Splunk 6.5.0 in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Extracting-Timestamps-from-JSON-logs-in-Splunk-6-5-0/m-p/242053#M46907</link>
    <description>&lt;P&gt;I have a JSON formatted event and I am trying to get props.conf to recognize the timestamp. The timestamp occurs at the beginning of the event with  "ts":  (see example event below)&lt;BR /&gt;
I have in my custom props.conf the following:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;KV_MODE=json
TIME_PREFIX = "ts": "
TIME_FORMAT = %s.%6N
#DATETIME_CONFIG =
MAX_TIMESTAMP_LOOKAHEAD = 3
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TZ = UTC
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I have also tried&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;INDEXED_EXTRACTIONS = json
TIME_PREFIX = "ts": "
TIME_FORMAT = %s.%Q
KV_MODE=none
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Which is better INDEXED_EXTRACTIONS or KV_MODE for 6.5.0? And I assume my regex for the timestamp field is also not extracting correctly as is the EPOCH timestamp?&lt;BR /&gt;
This also does not work in the Data Input part of Splunk when indexing the file. I can't get the timestamp extracted properly.&lt;BR /&gt;
Lastly is the order of the stanza important as well?&lt;/P&gt;

&lt;P&gt;Help me Splunkers!!!&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;{"ts":1475380313.087024,"uid":"CY8PlE1b4UHBBIE6ql","id.orig_h":"12.23.56.78","id.orig_p":62359,"id.resp_h":"172.217.4.206","id.resp_p":443,"fuid":"FAEKzAJTlOkNOzjZ8","file_mime_type":"application/pkix-cert","file_desc":"172.217.4.206:443/tcp","seen.indicator":"google-analytics.com","seen.indicator_type":"Intel::DOMAIN","seen.where":"X509::IN_CERT","seen.node":"bro","sources":["from http://hosts-file.net/ad_servers.txt via intel.criticalstack.com"]}
&lt;/CODE&gt;&lt;/PRE&gt;</description>
    <pubDate>Tue, 29 Sep 2020 11:21:30 GMT</pubDate>
    <dc:creator>baegoon</dc:creator>
    <dc:date>2020-09-29T11:21:30Z</dc:date>
    <item>
      <title>Extracting Timestamps from JSON logs in Splunk 6.5.0</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Extracting-Timestamps-from-JSON-logs-in-Splunk-6-5-0/m-p/242053#M46907</link>
      <description>&lt;P&gt;I have a JSON formatted event and I am trying to get props.conf to recognize the timestamp. The timestamp occurs at the beginning of the event with  "ts":  (see example event below)&lt;BR /&gt;
I have in my custom props.conf the following:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;KV_MODE=json
TIME_PREFIX = "ts": "
TIME_FORMAT = %s.%6N
#DATETIME_CONFIG =
MAX_TIMESTAMP_LOOKAHEAD = 3
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TZ = UTC
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I have also tried&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;INDEXED_EXTRACTIONS = json
TIME_PREFIX = "ts": "
TIME_FORMAT = %s.%Q
KV_MODE=none
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Which is better INDEXED_EXTRACTIONS or KV_MODE for 6.5.0? And I assume my regex for the timestamp field is also not extracting correctly as is the EPOCH timestamp?&lt;BR /&gt;
This also does not work in the Data Input part of Splunk when indexing the file. I can't get the timestamp extracted properly.&lt;BR /&gt;
Lastly is the order of the stanza important as well?&lt;/P&gt;

&lt;P&gt;Help me Splunkers!!!&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;{"ts":1475380313.087024,"uid":"CY8PlE1b4UHBBIE6ql","id.orig_h":"12.23.56.78","id.orig_p":62359,"id.resp_h":"172.217.4.206","id.resp_p":443,"fuid":"FAEKzAJTlOkNOzjZ8","file_mime_type":"application/pkix-cert","file_desc":"172.217.4.206:443/tcp","seen.indicator":"google-analytics.com","seen.indicator_type":"Intel::DOMAIN","seen.where":"X509::IN_CERT","seen.node":"bro","sources":["from http://hosts-file.net/ad_servers.txt via intel.criticalstack.com"]}
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 29 Sep 2020 11:21:30 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Extracting-Timestamps-from-JSON-logs-in-Splunk-6-5-0/m-p/242053#M46907</guid>
      <dc:creator>baegoon</dc:creator>
      <dc:date>2020-09-29T11:21:30Z</dc:date>
    </item>
    <item>
      <title>Re: Extracting Timestamps from JSON logs in Splunk 6.5.0</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Extracting-Timestamps-from-JSON-logs-in-Splunk-6-5-0/m-p/242054#M46908</link>
      <description>&lt;P&gt;Here is what I have:&lt;BR /&gt;
TIME_PREFIX=^{"ts":&lt;BR /&gt;
TIME_FORMAT=%s.%6Q&lt;BR /&gt;
Seems to work for me. I got _time= 10/1/16 10:51:53.087 PM&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 11:21:38 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Extracting-Timestamps-from-JSON-logs-in-Splunk-6-5-0/m-p/242054#M46908</guid>
      <dc:creator>sshelly_splunk</dc:creator>
      <dc:date>2020-09-29T11:21:38Z</dc:date>
    </item>
    <item>
      <title>Re: Extracting Timestamps from JSON logs in Splunk 6.5.0</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Extracting-Timestamps-from-JSON-logs-in-Splunk-6-5-0/m-p/242055#M46909</link>
      <description>&lt;P&gt;Thanks for the response. I just tried that and even re-indexed the data so I get an error about the timestamp being beyond the Jan 1, 1970 and I need to adjust MAX_DAYS_AGO and MAX_DAYS_HENCE. Do you happen to have these set as well? otherwise I have to use an eval statement during search time.&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 11:24:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Extracting-Timestamps-from-JSON-logs-in-Splunk-6-5-0/m-p/242055#M46909</guid>
      <dc:creator>baegoon</dc:creator>
      <dc:date>2020-09-29T11:24:44Z</dc:date>
    </item>
    <item>
      <title>Re: Extracting Timestamps from JSON logs in Splunk 6.5.0</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Extracting-Timestamps-from-JSON-logs-in-Splunk-6-5-0/m-p/242056#M46910</link>
      <description>&lt;P&gt;I think  if you are getting the error about being pre-1970, it is a TIME_FORMAT issue. I would make sure that the sourcetype you are using is not defined in multiple locations. If on linux, you can do a 'find $SPLUNK_HOME/etc -name props.conf | xargs grep "you sourcetype name"' (minus the quotes and ticks), and see if it appears in multiple locations. I indexed with only those 2 attributes defined/assigned, and I got the date of oct 1, 2016. If you could post your props.conf, than we can take a look at it as well.&lt;BR /&gt;
-hth&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 11:21:54 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Extracting-Timestamps-from-JSON-logs-in-Splunk-6-5-0/m-p/242056#M46910</guid>
      <dc:creator>sshelly_splunk</dc:creator>
      <dc:date>2020-09-29T11:21:54Z</dc:date>
    </item>
    <item>
      <title>Re: Extracting Timestamps from JSON logs in Splunk 6.5.0</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Extracting-Timestamps-from-JSON-logs-in-Splunk-6-5-0/m-p/242057#M46911</link>
      <description>&lt;P&gt;Sure here is the complete props.conf file that is in my app. I did do a search and that sourcetype is only listed in that file.&lt;/P&gt;

&lt;P&gt;[bro-intel]&lt;BR /&gt;
INDEXED_EXTRACTIONS = json&lt;/P&gt;

&lt;H1&gt;TIME_PREFIX =/["][t][s]["][:]/&lt;/H1&gt;

&lt;H1&gt;TIME_FORMAT = %s.%Q&lt;/H1&gt;

&lt;P&gt;TIME_PREFIX=^{"ts":&lt;BR /&gt;
TIME_FORMAT=%s.%6Q&lt;BR /&gt;
KV_MODE=none&lt;/P&gt;

&lt;H1&gt;DATETIME_CONFIG =&lt;/H1&gt;

&lt;P&gt;MAX_TIMESTAMP_LOOKAHEAD = 6&lt;BR /&gt;
NO_BINARY_CHECK = true&lt;BR /&gt;
SHOULD_LINEMERGE = false&lt;BR /&gt;
TZ = UTC&lt;BR /&gt;
category = Custom&lt;BR /&gt;
description = Intel framework for BRO IDS&lt;BR /&gt;
disabled = false&lt;BR /&gt;
pulldown_type = true&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 11:22:21 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Extracting-Timestamps-from-JSON-logs-in-Splunk-6-5-0/m-p/242057#M46911</guid>
      <dc:creator>baegoon</dc:creator>
      <dc:date>2020-09-29T11:22:21Z</dc:date>
    </item>
    <item>
      <title>Re: Extracting Timestamps from JSON logs in Splunk 6.5.0</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Extracting-Timestamps-from-JSON-logs-in-Splunk-6-5-0/m-p/242058#M46912</link>
      <description>&lt;P&gt;remove the timestamp lookahead. If you want to use it, it must be set to 10 or larger for this data (just checked and confirmed it in my environment), but I did not use it.&lt;/P&gt;</description>
      <pubDate>Thu, 13 Oct 2016 14:56:09 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Extracting-Timestamps-from-JSON-logs-in-Splunk-6-5-0/m-p/242058#M46912</guid>
      <dc:creator>sshelly_splunk</dc:creator>
      <dc:date>2016-10-13T14:56:09Z</dc:date>
    </item>
    <item>
      <title>Re: Extracting Timestamps from JSON logs in Splunk 6.5.0</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Extracting-Timestamps-from-JSON-logs-in-Splunk-6-5-0/m-p/242059#M46913</link>
      <description>&lt;P&gt;OK That works!!!!&lt;/P&gt;

&lt;P&gt;The MAX_TIMESTAMP_LOOKAHEAD = 6 should be ZERO!!! THANKS SShelly! It was really simple. Now on to BRO DASHBOARDS!!!&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;INDEXED_EXTRACTIONS = json
TIME_PREFIX=^{"ts":
TIME_FORMAT=%s.%6Q
KV_MODE=none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TZ = UTC
category = Custom
description = Intel framework for BRO IDS
disabled = false
pulldown_type = true
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 29 Sep 2020 11:30:19 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Extracting-Timestamps-from-JSON-logs-in-Splunk-6-5-0/m-p/242059#M46913</guid>
      <dc:creator>baegoon</dc:creator>
      <dc:date>2020-09-29T11:30:19Z</dc:date>
    </item>
  </channel>
</rss>

