https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485332#M83071 <P>@harsmarvania57 I have already tried it and as i said it creates a separate event with just a timestamp. I don't want that I want that whole thing in a single event because I need that timestamp value in my report. I have attached s screenshot where you can see there are 2 separate events but that is actually a single event in the log file</P> Thu, 30 Apr 2020 16:02:14 GMT Shashank_87 2020-04-30T16:02:14Z https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485328#M83067 <P>Hi, I am trying to upload a file with json formatted data like below but it's not coming properly. I tried using 2 ways -</P> <OL> <LI>When selecting sourcetype as automatic, it is creating a separate event for timestamp field.</LI> <LI>When selecting the sourcetype as _json, the timestamp is not even coming in the event.</LI> </OL> <P>Tue 21 Apr 14:16:26 BST 2020<BR /> {"items":[{"cpu.load": "0.97","total.jvm.memory": "6039.798 MB","free.jvm.memory": "4466.046 MB","used.jvm.memory": "1573.752 MB","total.physical.system.memory": "16.656 GB","total.free.physical.system.memory": "3874.03 MB","total.used.physical.system.memory": "12.782 GB","number.of.cpus": "8"}]}</P> <P>Tue 21 Apr 14:16:36 BST 2020<BR /> {"items":[{"cpu.load": "0.97","total.jvm.memory": "6039.798 MB","free.jvm.memory": "4456.382 MB","used.jvm.memory": "1583.415 MB","total.physical.system.memory": "16.656 GB","total.free.physical.system.memory": "3874.439 MB","total.used.physical.system.memory": "12.782 GB","number.of.cpus": "8"}]}</P> <P>Is there a way to ingest/upload this data properly?</P> <PRE><CODE>Tue 21 Apr 14:16:26 BST 2020 {"items":[{"cpu.load": "0.97","total.jvm.memory": "6039.798 MB","free.jvm.memory": "4466.046 MB","used.jvm.memory": "1573.752 MB","total.physical.system.memory": "16.656 GB","total.free.physical.system.memory": "3874.03 MB","total.used.physical.system.memory": "12.782 GB","number.of.cpus": "8"}]} Tue 21 Apr 14:16:36 BST 2020 {"items":[{"cpu.load": "0.97","total.jvm.memory": "6039.798 MB","free.jvm.memory": "4456.382 MB","used.jvm.memory": "1583.415 MB","total.physical.system.memory": "16.656 GB","total.free.physical.system.memory": "3874.439 MB","total.used.physical.system.memory": "12.782 GB","number.of.cpus": "8"}]} Tue 21 Apr 14:16:46 BST 2020 {"items":[{"cpu.load": "0.84","total.jvm.memory": "6039.798 MB","free.jvm.memory": "4449.94 MB","used.jvm.memory": "1589.858 MB","total.physical.system.memory": "16.656 GB","total.free.physical.system.memory": "3867.042 MB","total.used.physical.system.memory": "12.789 GB","number.of.cpus": "8"}]} </CODE></PRE> Thu, 30 Apr 2020 15:03:00 GMT https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485328#M83067 Shashank_87 2020-04-30T15:03:00Z https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485329#M83068 <P>Hi,</P> <P>Your rawdata contain timestamp <CODE>Tue 21 Apr 14:16:26 BST 2020</CODE> and after that you have valid JSON, so you can't use _json sourcetype or INDEXED_EXTRACTIONS=json</P> <P>At search time you use regex and then spath to create/extract fields from json blob.</P> <P>Like</P> <PRE><CODE>your_base_query | rex field=_raw "(?&lt;ext_json&gt;{[^}]+}]})" | spath input=ext_json </CODE></PRE> Wed, 30 Sep 2020 05:16:07 GMT https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485329#M83068 harsmarvania57 2020-09-30T05:16:07Z https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485330#M83069 <P>@harsmarvania57 Thanks for the response but how would i upload the data at first place? which sourcetype should i use? <BR /> Because if i use automatic, the timestamp field comes as a separate event</P> Thu, 30 Apr 2020 15:21:15 GMT https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485330#M83069 Shashank_87 2020-04-30T15:21:15Z https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485331#M83070 <P>Create your own sourcetype Like app_json</P> Thu, 30 Apr 2020 15:55:24 GMT https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485331#M83070 harsmarvania57 2020-04-30T15:55:24Z https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485332#M83071 <P>@harsmarvania57 I have already tried it and as i said it creates a separate event with just a timestamp. I don't want that I want that whole thing in a single event because I need that timestamp value in my report. I have attached s screenshot where you can see there are 2 separate events but that is actually a single event in the log file</P> Thu, 30 Apr 2020 16:02:14 GMT https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485332#M83071 Shashank_87 2020-04-30T16:02:14Z https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485333#M83072 <P>I can’t see any screenshot, also please provide your raw data in code format(Use 101010 button)</P> Thu, 30 Apr 2020 16:04:52 GMT https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485333#M83072 harsmarvania57 2020-04-30T16:04:52Z https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485334#M83073 <P>@harsmarvania57 added</P> Thu, 30 Apr 2020 16:11:12 GMT https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485334#M83073 Shashank_87 2020-04-30T16:11:12Z https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485335#M83074 <P>Based on data you have provided I have created below sourcetype on Indexer, if you are ingesting data via Heavy Forwarder then you need to create below props.conf on Heavy Forwarder.</P> <P>props.conf</P> <PRE><CODE>[test_st] LINE_BREAKER = }([\r\n]+) MAX_TIMESTAMP_LOOKAHEAD = 28 SHOULD_LINEMERGE = false TIME_FORMAT = %a %d %b %H:%M:%S %Z %Y </CODE></PRE> <P>And then used search query which I have provided and it is extracting data.</P> Thu, 30 Apr 2020 17:21:37 GMT https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485335#M83074 harsmarvania57 2020-04-30T17:21:37Z https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485336#M83075 <P>@harsmarvania57 That actually worked. Thank you. I am getting time time and the json in same event though the _time field has not been extracted. How do i extract the time because I have to plot the graph based on time.</P> Fri, 01 May 2020 10:40:48 GMT https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485336#M83075 Shashank_87 2020-05-01T10:40:48Z https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485337#M83076 <P>I can see time from raw data in _time, see screenshot from my lab instance <A href="https://imgur.com/a/bW5T8ok">https://imgur.com/a/bW5T8ok</A> </P> <P>How are you ingesting data ?</P> Fri, 01 May 2020 11:05:26 GMT https://community.splunk.com/t5/Getting-Data-In/Ingesting-a-Json-format-data-in-Splunk/m-p/485337#M83076 harsmarvania57 2020-05-01T11:05:26Z