https://community.splunk.com/t5/Getting-Data-In/JSON-with-Timestamp-syslog/m-p/513900#M87125 <P>Putting the props.conf on the indexer fixed my issue.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 13 Aug 2020 12:46:55 GMT poisar 2020-08-13T12:46:55Z https://community.splunk.com/t5/Getting-Data-In/JSON-with-Timestamp-syslog/m-p/513877#M87123 <P>Hello,</P><P>i am getting the following json via syslog and i ingest it to splunk.</P><P>Aug 13 12:45:40 10.200.7.200 {"Status": "Failed", "Received": "2020-08-13T10:45:07.2887421", "ToIP": null, "StartDate": "2020-08-13T10:44:39.530583Z", "Index": 2, "EndDate": "2020-08-13T10:45:39.530583Z", "FromIP": "2603:10a6:803:67::17"}</P><P>&nbsp;</P><P>i want to extract the json data. So i created a new app on my searchhead with a props.conf for my custom sourcetype:</P><P>[security:type]<BR />TIME_PREFIX = "Received":\s*"<BR /># SEDCMD-strip_prefix = s/^[^{]+//g<BR />SEDCMD-StripHeader = s/^[^\{]+//<BR />INDEXED_EXTRACTIONS=JSON<BR />KV_MODE=json<BR />TZ = UTC</P><P>&nbsp;</P><P>still it doesnt extract the json data. Can someone help me out?</P><P>&nbsp;</P><P>thanks in advance!</P><P>Andreas</P> Thu, 13 Aug 2020 10:59:45 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-with-Timestamp-syslog/m-p/513877#M87123 poisar 2020-08-13T10:59:45Z https://community.splunk.com/t5/Getting-Data-In/JSON-with-Timestamp-syslog/m-p/513900#M87125 <P>Putting the props.conf on the indexer fixed my issue.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 13 Aug 2020 12:46:55 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-with-Timestamp-syslog/m-p/513900#M87125 poisar 2020-08-13T12:46:55Z