step 1 try only on props

TIME_FORMAT = %Y-%m-%d %H:%M
TIME_PREFIX = \"requested_on\":\s

just check exact bracket & quotes etc

play on props -- should give you
You dont need transform for this

also take this out - TIMESTAMP_FIELDS = requested_on

@adonio: The TIME_FORMAT change did not make any difference, as i tried earlier. I am getting the indexed data as expected but event time i.e., _time needs to be the value of requested_on

@shahid @adonio
yes i get thats what TIME_PREFIX will do

TIME_PREFIX = \"requested_on\":\s
tune this
"requested_on": "2015-07-12 06:47:51",

@adonio: The TIME_FORMAT change did not make any difference, as i tried earlier. I am getting the indexed data as expected but event time i.e., _time needs to be the value of requested_on

@anilsharmahk : I tried your approach and now not even the data is getting indexed, where earlier i was getting indexed data.

is it @adonio .. why data indexing stoped. you r prop is messed up you cant have

"INDEXED_EXTRACTIONS = json
KV_MODE = json"
eithe one..
i thought you need just help on time format and Time_prefix ..
please see prop.conf documentation for jason file

Hi @anilsharmahk even if i have both or remove either of KV_MODE or INDEXED_EXTRACTIONS the result is same as i am presently getting.
I checked out the documentation part and was clueless as to why the index logic is behaving so different for JSON and at the same time working for CSV.

Thanks
Mohammed Shahid Nawaz

ok lets do this mate .. post the jason and prop...
use only prop you dont need transform.
i can re code you full prop for you .. is your splunk on window or linux ? on cluster and what version ? are you putting this prop on forwader ?

@anilsharmahk Hi , were you able to debug the issue by any chance?

thanks
Mohammed Shahid Nawaz

Thanks @shahid285
this how i will try to resolve
Step 1: clear all the indexs for this source type [aci-inventory]
step 2: remove any bucket copies of index (optional)
step 3: create a source type [aci-inventory] on the forwader
step 4: open prop.conf and first get the date right
[aci-inventory]
pulldown_type = true
KV_MODE = json
description = For indexing JSON comments
category = Custom
BREAK_ONLY_BEFORE = {(")ca
TIME_PREFIX = \"requested_on\":\s
TRUNCATE = 0
LINE_BREAKER = }(,){(")ca
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%d %H:%M
disabled = false
SEDCMD-remove = s/{\"imdata\":\s[{/{/g
SEDCMD-find_and_replace = s/}]}]}/}]}/1

Step 5: save props.conf and restart splunk
step 6: push data

Step 7 : check data on search head

just tune the above -- take few runs to get right.
thats it ..

give it a go bro

thanks

alright,
the JSON i am trying to use is as follows,
{
"imdata": [
{
"cause":"resolution-failed",
"childAction":"",
"code":"F0955",
"count":"1",
"descr":"The object refers to an object that was not found.",
"dn":"fltcode-F0955",
"domain":"infra",
"nonAcked":"1",
"nonDelegated":"1",
"nonDelegatedAndNonAcked":"1",
"rule":"fv-rs-bd-resolve-fail",
"severity":"warning",
"status":"",
"subject":"relation-resolution",
"requested_on": "2015-07-12 06:47:51",
"type":"config"
},
{
"cause":"protocol-ntp-provisioning-failed",
"childAction":"",
"code":"F1699",
"count":"1",
"descr":"This fault occurs when a ntp configuration on a switch has problems",
"dn":"fltcode-F1699",
"domain":"infra",
"nonAcked":"1",
"nonDelegated":"1",
"nonDelegatedAndNonAcked":"1",
"rule":"datetime-ntp-provider-status-ntp-prov-fault",
"severity":"warning",
"status":"",
"subject":"ntp",
"requested_on": "2015-07-12 06:47:51",
"type":"operational"
}
]
}

The props.conf is the default one, and it has been untouched except with my newly added source type settings for indexing, which is same as before.

[aci-inventory]
INDEXED_EXTRACTIONS = json
KV_MODE = json
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = ({|[\s+{)
MUST_BREAK_AFTER = (}|}\s+])
SEDCMD-remove_header = s/({\s+.+?[)//g
SEDCMD-remove_trailing_commas = s/},/}/g
SEDCMD-remove_footer = s/]\s+}//g
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
TIMESTAMP_FIELDS = requested_on

I am doing a basic setup with universal forwarder and indexer and search head on linux vm (Cent OS 7)
the splunk i use is the most recent as i had downloaded just yesterday.

Thanks
Mohammed Shahid Nawaz

https://answers.splunk.com/answers/168959/parsing-json-data-structures.html

[aci-inventory]
INDEXED_EXTRACTIONS =
KV_MODE = json
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = ({|[\s+{)
MUST_BREAK_AFTER = (}|}\s+])
SEDCMD-remove_header = s/({\s+.+?[)//g
SEDCMD-remove_trailing_commas = s/},/}/g
SEDCMD-remove_footer = s/]\s+}//g
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
TIME_PREFIX = \"requested_on\":\s**
TRANSFORMS-datetime = aci_timestamp