topic Re: Json parsing - Failed to parse timestamp in Getting Data In

Json parsing - Failed to parse timestamp

shakSplunk — Wed, 02 Jun 2021 06:33:54 GMT

Hi all,

I'm quite new to splunk. I've been testing the manual upload of the following json file to splunk enterprise. However, I'm getting the error "Failed to parse timestamp" so I'm guessing it's unable to read the timestamp that is available in the json file "date_time". Would anyone be able to help me with this issue, also I am unable to alter the config file (etc/...) so hopefully the solution can be done through the web UI.

JSON input file:

{ "SVP": { "rcc": { "application": { "ICE13": { "hostname": "218", "domain": "rc", "app_id": "13", "version": "413", "date_time": "29/05/2021" }, "ICE1": { "hostname": "lnxau2004st0218", "domain": "rcc", "app_id": "1", "version": "413", "date_time": "31/05/2021", "UPP": { "hostname": "218", "domain": "rc", "version": "null", "date_time": "29/05/2021" } } }, "utility": { "ICE13": { "Ctl.sh": { "hostname": "218", "domain": "rc", "version": "144", "date_time": "29/05/2021" } }, "ICE1": { "Ctl.sh": { "hostname": "218", "domain": "rc", "version": "144", "date_time": "31/05/2021" } }, "ICE5": { "Ctl.sh": { "hostname": "218", "domain": "rc", "version": "144", "date_time": "30/05/2021" } }, "ICE9": { "Ctl.sh": { "hostname": "218", "domain": "rc", "version": "144", "date_time": "31/05/2021" } }, "ICE11": { "Ctl.sh": { "hostname": "219", "domain": "rc", "version": "140", "date_time": "30/05/2021" } } } } } }

Thanks for any and all help!

Re: Json parsing - Failed to parse timestamp

richgalloway — Wed, 02 Jun 2021 12:38:22 GMT

What are the props.conf settings for that sourcetype?

Re: Json parsing - Failed to parse timestamp

shakSplunk — Thu, 03 Jun 2021 03:37:56 GMT

My props.configs file looks like this:

[output_simplified1]

DATETIME_CONFIG =

INDEXED_EXTRACTIONS = JSON

KV_MODE = none

LINE_BREAKER = ([\r\n]+)

NO_BINARY_CHECK = true

category = Structured

description = JavaScript Object Notation format. For more information, visit http://json.org/

disabled = false

pulldown_type = true

TIME_PREFIX = },"date_time":

TIME_FORMAT = %d/%m/%Y

What my goal here is to an event for each timestamp, thus 1 event capturing the following information:

"SVP": { "rcc": { "application": { "ICE13": { "hostname": "218", "domain": "rc", "app_id": "13", "version": "413", "date_time": "29/05/2021" }

With the next event containing:

"ICE1": { "hostname": "lnxau2004st0218", "domain": "rcc", "app_id": "1", "version": "413", "date_time": "31/05/2021"

with the Application, rcc and SVP upper level keys also attached.

Essentially every object that has a data_time attribute, it should be turned its own independent event that should be able to be categorised based on the keys. E.g. Filtering based on "application" whilst within SVP.rcc

Is this possible? Is it overcomplicating and consequently should the data structure be altered?

Re: Json parsing - Failed to parse timestamp

kamlesh_vaghela — Thu, 03 Jun 2021 09:16:32 GMT

@shakSplunk

from your provided sample json what output you expecting?