https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-indexed-stamp-in-the-splunk-logs/m-p/479875#M99837 <P>Tried changing the entries to :</P> <P>TIME_PREFIX=\"created\":\s\"<BR /> KV_MODE=JSON<BR /> INDEXED_EXTRACTIONS=JSON<BR /> TZ=UTC<BR /> TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%:z<BR /> MAX_TIMESTAMP_LOOKAHEAD = 100</P> <P>as well as :</P> <P>TIME_PREFIX="created":\s"<BR /> KV_MODE=JSON<BR /> INDEXED_EXTRACTIONS=JSON<BR /> TZ=UTC<BR /> TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%:z<BR /> MAX_TIMESTAMP_LOOKAHEAD = 100</P> <P>and </P> <P>TIME_PREFIX=\"created\":\s\"<BR /> KV_MODE=JSON<BR /> INDEXED_EXTRACTIONS=JSON<BR /> TZ=UTC<BR /> TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%z<BR /> MAX_TIMESTAMP_LOOKAHEAD = 100</P> <P>None of the above worked. </P> Wed, 30 Sep 2020 02:53:38 GMT rishma 2020-09-30T02:53:38Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-indexed-stamp-in-the-splunk-logs/m-p/479870#M99832 <P>Hi, </P> <P>I have logs format like : <BR /> {"guid": "ABC", "type": "email", "value": "email", "session": "sessioid", "service": "HTTP", "created": "2019-11-07T22:41:28.682+00:00", "remote_host": "ip"}</P> <P>I want to get the timestamp for indexing based on "created" field and want tp show it during search results under _time. </P> <P>I used the below props.conf :<BR /> [sourcetype]<BR /> TIME_PREFIX = "created":\s"<BR /> KV_MODE=JSON<BR /> INDEXED_EXTRACTIONS=JSON<BR /> TZ=UTC<BR /> TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%z<BR /> MAX_TIMESTAMP_LOOKAHEAD = 1000</P> <P>But its not working. Please guide. </P> <P>Thanks,</P> Wed, 30 Sep 2020 02:53:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-indexed-stamp-in-the-splunk-logs/m-p/479870#M99832 rishma 2020-09-30T02:53:36Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-indexed-stamp-in-the-splunk-logs/m-p/479871#M99833 <P>Have you tried escaping the quotation marks in your TIME_PREFIX ? </P> <PRE><CODE>TIME_PREFIX = \"created\":\s\" </CODE></PRE> Fri, 08 Nov 2019 00:27:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-indexed-stamp-in-the-splunk-logs/m-p/479871#M99833 dflodstrom 2019-11-08T00:27:02Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-indexed-stamp-in-the-splunk-logs/m-p/479872#M99834 <P>Try <CODE>TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%:z</CODE></P> Fri, 08 Nov 2019 01:02:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-indexed-stamp-in-the-splunk-logs/m-p/479872#M99834 richgalloway 2019-11-08T01:02:32Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-indexed-stamp-in-the-splunk-logs/m-p/479873#M99835 <P>Tried it. But same response. </P> Fri, 08 Nov 2019 01:47:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-indexed-stamp-in-the-splunk-logs/m-p/479873#M99835 rishma 2019-11-08T01:47:02Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-indexed-stamp-in-the-splunk-logs/m-p/479874#M99836 <P>Tried it. Same response.</P> Fri, 08 Nov 2019 01:49:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-indexed-stamp-in-the-splunk-logs/m-p/479874#M99836 rishma 2019-11-08T01:49:13Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-indexed-stamp-in-the-splunk-logs/m-p/479875#M99837 <P>Tried changing the entries to :</P> <P>TIME_PREFIX=\"created\":\s\"<BR /> KV_MODE=JSON<BR /> INDEXED_EXTRACTIONS=JSON<BR /> TZ=UTC<BR /> TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%:z<BR /> MAX_TIMESTAMP_LOOKAHEAD = 100</P> <P>as well as :</P> <P>TIME_PREFIX="created":\s"<BR /> KV_MODE=JSON<BR /> INDEXED_EXTRACTIONS=JSON<BR /> TZ=UTC<BR /> TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%:z<BR /> MAX_TIMESTAMP_LOOKAHEAD = 100</P> <P>and </P> <P>TIME_PREFIX=\"created\":\s\"<BR /> KV_MODE=JSON<BR /> INDEXED_EXTRACTIONS=JSON<BR /> TZ=UTC<BR /> TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%z<BR /> MAX_TIMESTAMP_LOOKAHEAD = 100</P> <P>None of the above worked. </P> Wed, 30 Sep 2020 02:53:38 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-indexed-stamp-in-the-splunk-logs/m-p/479875#M99837 rishma 2020-09-30T02:53:38Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-indexed-stamp-in-the-splunk-logs/m-p/479876#M99838 <P>You can try just using <STRONG>TIMESTAMP_FIELDS</STRONG>, ignore other attributes (TIME_PREFIX, TZ, TIME_FORMAT, MAX_TIMESTAMP_LOOKAHEAD). And also attribute <STRONG>KV_MODE</STRONG> is not required during indexed time field extractions.</P> <PRE><CODE>[sourcetype] INDEXED_EXTRACTIONS = json KV_MODE = none TIMESTAMP_FIELDS = created </CODE></PRE> Wed, 30 Sep 2020 02:51:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-indexed-stamp-in-the-splunk-logs/m-p/479876#M99838 manjunathmeti 2020-09-30T02:51:33Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-indexed-stamp-in-the-splunk-logs/m-p/479877#M99839 <P>Tried this too. But same response. </P> Fri, 08 Nov 2019 16:13:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-indexed-stamp-in-the-splunk-logs/m-p/479877#M99839 rishma 2019-11-08T16:13:18Z