https://community.splunk.com/t5/Splunk-Search/PROPS-configuration-for-Source-Data-with-Field-Names-and-Values/m-p/568862#M198265 <P>It would help if you explained what you mean by "it's not working".</P><P>The TIMESTAMP_FIELDS setting is for use with INDEXED_EXTRACTIONS.&nbsp; Try these settings</P><LI-CODE lang="markup">[ __auto__learned__ ] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) TIME_PREFIX = \{"timeStamp":" TIME_FORMAT = %Y-%m-%d %H:%M:%S %Z MAX_TIMESTAMP_LOOKAHEAD = 29</LI-CODE><P>&nbsp;</P> Wed, 29 Sep 2021 00:30:47 GMT richgalloway 2021-09-29T00:30:47Z https://community.splunk.com/t5/Splunk-Search/PROPS-configuration-for-Source-Data-with-Field-Names-and-Values/m-p/568789#M198225 <P>Hello,</P><P>I have some issues writing a PROPS configuration file for the following&nbsp; source&nbsp;data stored in text file. I&nbsp; also used <STRONG>TIMESTAMP_FIELDS=&nbsp;timeStamp </STRONG>there<STRONG>, </STRONG>to have field values under field names<STRONG>.&nbsp;</STRONG> But, it's not working. My PROPS configuration and a sample event are given below.&nbsp; Any help will be highly appreciated. Thank you so much.&nbsp;</P><P>&nbsp;</P><P class="x_MsoNormal">[ __auto__learned__ ]</P><P class="x_MsoNormal">SHOULD_LINEMERGE=false</P><P class="x_MsoNormal">LINE_BREAKER=([\r\n]+)</P><P class="x_MsoNormal">TIMESTAMP_FIELDS=timeStamp</P><P class="x_MsoNormal">TIME_PREFIX =^\{\"timeStamp\"\:\"</P><P class="x_MsoNormal">TIME_FORMAT=%Y-%m-%d %H:%M:%S</P><P class="x_MsoNormal">MAX_TIMESTAMP_LOOKAHEAD=29</P><P class="x_MsoNormal">&nbsp;</P><P class="x_MsoNormal">{"timeStamp":"2021-06-21 14:53:56 EDT","appName":"OSD","userType":"FILTER","StatCd":null,"Amt":null,"errorMsg":"","eventId":"APP_ENTRY","eventType":"VIEW","fileSourceCd":null,"ipAddr":"11.212.41.151","mftCd":null,"outputCd":null,"planNum":null,"reasonCd":null,"returnCd":"00","sessionId":"XWGMwkncVD0m60OQBOahu8s/qG1c=","Period":null,"cat":"234207501","Type":null,"userId":"cdabea740a-g9a0-408f-a6a7-5ae70c689e6d","vsardata":{"uri":"/osd/rest/accountSummary","host":"appsa.rup.afsiep.net","ipAddress":"11.212.41.151","Id":"AXSabea753c-d9a0-408f-a6a7-5ae70c689e6d","requestId":"as58510cd-0459-614b7bc4-1afdd700-0bf875285d76","referer":<A href="https://saada.ruer.egsiep.net/osd/" target="_blank" rel="noopener noreferrer">https://saada.ruer.egsiep.net/osd/</A>,"responseStatus":0}}</P><P class="x_MsoNormal">&nbsp;</P> Tue, 28 Sep 2021 16:12:43 GMT https://community.splunk.com/t5/Splunk-Search/PROPS-configuration-for-Source-Data-with-Field-Names-and-Values/m-p/568789#M198225 SplunkDash 2021-09-28T16:12:43Z https://community.splunk.com/t5/Splunk-Search/PROPS-configuration-for-Source-Data-with-Field-Names-and-Values/m-p/568862#M198265 <P>It would help if you explained what you mean by "it's not working".</P><P>The TIMESTAMP_FIELDS setting is for use with INDEXED_EXTRACTIONS.&nbsp; Try these settings</P><LI-CODE lang="markup">[ __auto__learned__ ] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) TIME_PREFIX = \{"timeStamp":" TIME_FORMAT = %Y-%m-%d %H:%M:%S %Z MAX_TIMESTAMP_LOOKAHEAD = 29</LI-CODE><P>&nbsp;</P> Wed, 29 Sep 2021 00:30:47 GMT https://community.splunk.com/t5/Splunk-Search/PROPS-configuration-for-Source-Data-with-Field-Names-and-Values/m-p/568862#M198265 richgalloway 2021-09-29T00:30:47Z