https://community.splunk.com/t5/Getting-Data-In/Trouble-extracting-time-in-JSON/m-p/441755#M77026 <P>I have a JSON log file that I'm attempting to ingest (Splunk v6.6.5). The events parse correctly, but the epoch time isn't being used as the event timestamp. Splunk is using the file modified date for the event timestamp.</P> <P>Here's a sample record and my props config (which lives on the Indexers):</P> <P>{"time":1531405028,"name":"PSIKD01.BOOT","appl":"@ABCVDIF","server":"SERVER1","user":"LSRVID","HandleCount":792,"KernelModeTime":66875000,"OtherOperationCount":18498,"OtherTransferCount":630163,"PageFaults":320216,"PageFileUsage":1349924,"PrivatePageCount":1382322176,"ReadOperationCount":36716,"ReadTransferCount":38844376,"ThreadCount":34,"UserModeTime":363281250,"VirtualSize":2207380942848,"WorkingSetSize":672907264,"WriteOperationCount":205,"WriteTransferCount":63855}</P> <P>[apm_json]<BR /> KV_MODE = none<BR /> INDEXED_EXTRACTIONS = json<BR /> TIME_PREFIX = "time":<BR /> TIME_FORMAT = %s<BR /> SHOULD_LINEMERGE = false<BR /> TRUNCATE = 100000</P> <P>Any help would be appreciated. Thanks!</P> Tue, 29 Sep 2020 20:28:13 GMT ericlarsen 2020-09-29T20:28:13Z https://community.splunk.com/t5/Getting-Data-In/Trouble-extracting-time-in-JSON/m-p/441755#M77026 <P>I have a JSON log file that I'm attempting to ingest (Splunk v6.6.5). The events parse correctly, but the epoch time isn't being used as the event timestamp. Splunk is using the file modified date for the event timestamp.</P> <P>Here's a sample record and my props config (which lives on the Indexers):</P> <P>{"time":1531405028,"name":"PSIKD01.BOOT","appl":"@ABCVDIF","server":"SERVER1","user":"LSRVID","HandleCount":792,"KernelModeTime":66875000,"OtherOperationCount":18498,"OtherTransferCount":630163,"PageFaults":320216,"PageFileUsage":1349924,"PrivatePageCount":1382322176,"ReadOperationCount":36716,"ReadTransferCount":38844376,"ThreadCount":34,"UserModeTime":363281250,"VirtualSize":2207380942848,"WorkingSetSize":672907264,"WriteOperationCount":205,"WriteTransferCount":63855}</P> <P>[apm_json]<BR /> KV_MODE = none<BR /> INDEXED_EXTRACTIONS = json<BR /> TIME_PREFIX = "time":<BR /> TIME_FORMAT = %s<BR /> SHOULD_LINEMERGE = false<BR /> TRUNCATE = 100000</P> <P>Any help would be appreciated. Thanks!</P> Tue, 29 Sep 2020 20:28:13 GMT https://community.splunk.com/t5/Getting-Data-In/Trouble-extracting-time-in-JSON/m-p/441755#M77026 ericlarsen 2020-09-29T20:28:13Z https://community.splunk.com/t5/Getting-Data-In/Trouble-extracting-time-in-JSON/m-p/441756#M77027 <P>Everything looks good in the config. Have you looked to see if there is anything overriding that configuration that might be causing the date parsing problem? Use <CODE>btool</CODE> to see what Splunk is actually seeing as the configs:</P> <PRE><CODE>splunk btool props list --debug | less </CODE></PRE> <P>Then search for <CODE>apm_json</CODE> and see if the configs for that sourcetype match the above configs.</P> Tue, 17 Jul 2018 19:02:21 GMT https://community.splunk.com/t5/Getting-Data-In/Trouble-extracting-time-in-JSON/m-p/441756#M77027 cpetterborg 2018-07-17T19:02:21Z https://community.splunk.com/t5/Getting-Data-In/Trouble-extracting-time-in-JSON/m-p/441757#M77028 <P>I had run btool on props previously. I confirmed my sourcetype is active.</P> Tue, 17 Jul 2018 19:06:34 GMT https://community.splunk.com/t5/Getting-Data-In/Trouble-extracting-time-in-JSON/m-p/441757#M77028 ericlarsen 2018-07-17T19:06:34Z