https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-failed-if-no-INDEXED-EXTRACTION-json-on/m-p/558724#M92425 <P>Hi,</P><P>no luck.. same results in the UI (tried with "" and not) :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Capture du 2021-07-08 18-05-58.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14990i28A70B971639C79C/image-size/large?v=v2&amp;px=999" role="button" title="Capture du 2021-07-08 18-05-58.png" alt="Capture du 2021-07-08 18-05-58.png" /></span></P><P>&nbsp;</P><P>Thanks for the suggestion anyway.</P><P>Regards,</P><P>Ema</P> Thu, 08 Jul 2021 16:06:56 GMT emallinger 2021-07-08T16:06:56Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-failed-if-no-INDEXED-EXTRACTION-json-on/m-p/558719#M92421 <P>Hello,</P><P>On a monoinstance Splunk, I'd like to ingest some simple JSON data :</P><P>&nbsp;</P><LI-CODE lang="markup"> { GDH: 2021-07-08 16:54:00.617222 action: )reV[viZpy)4noHQFhs7;)*!wHlRaY3mo4R(o6, dossier: FR668CORG2021078979348557 id: 4000000 ident: 267987 ip: 10.226.689.32 org: PN service: 3647971 telephone: +33672108802 } </LI-CODE><P>&nbsp;</P><P>I'd like to use only KV_mode, without indexed_extractions = json.</P><P>Here's my sourcetype :</P><P>&nbsp;</P><LI-CODE lang="markup">[data_kvm_json] DATETIME_CONFIG = KV_MODE = LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = false TIMESTAMP_FIELDS = GDH TIME_FORMAT = %Y-%m-%d %H:%M:%S.%6N category = Structured description = sourcetype - kv_mode extraction disabled = false pulldown_type = true NO_BINARY_CHECK = true</LI-CODE><P>&nbsp;</P><P>Here's the result :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Capture du 2021-07-08 17-44-41.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14989iCEDABFE555C7E152/image-size/large?v=v2&amp;px=999" role="button" title="Capture du 2021-07-08 17-44-41.png" alt="Capture du 2021-07-08 17-44-41.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>The event is indexed at the time of the ingestion, not the event date wich is is GDH field.</P><P>&nbsp;</P><P>I have several sourcetypes on another environnement (clustered IDX + SH), where this positionned in props.conf on indexer cluster works fine.</P><P>Is this a consequence of the architecture being only a mono-instance ?</P><P>What did I miss ?</P><P>Thanks,</P><P>Regards,</P><P>Eglantine</P> Thu, 08 Jul 2021 15:49:09 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-failed-if-no-INDEXED-EXTRACTION-json-on/m-p/558719#M92421 emallinger 2021-07-08T15:49:09Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-failed-if-no-INDEXED-EXTRACTION-json-on/m-p/558722#M92424 <P>Try adding <FONT face="courier new,courier">TIME_PREFIX = GDH: <FONT face="arial,helvetica,sans-serif">to props.conf</FONT></FONT></P> Thu, 08 Jul 2021 15:58:25 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-failed-if-no-INDEXED-EXTRACTION-json-on/m-p/558722#M92424 richgalloway 2021-07-08T15:58:25Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-failed-if-no-INDEXED-EXTRACTION-json-on/m-p/558724#M92425 <P>Hi,</P><P>no luck.. same results in the UI (tried with "" and not) :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Capture du 2021-07-08 18-05-58.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14990i28A70B971639C79C/image-size/large?v=v2&amp;px=999" role="button" title="Capture du 2021-07-08 18-05-58.png" alt="Capture du 2021-07-08 18-05-58.png" /></span></P><P>&nbsp;</P><P>Thanks for the suggestion anyway.</P><P>Regards,</P><P>Ema</P> Thu, 08 Jul 2021 16:06:56 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-failed-if-no-INDEXED-EXTRACTION-json-on/m-p/558724#M92425 emallinger 2021-07-08T16:06:56Z