Solved: Can you tell me what I am doing wrong with my prop...

daniel333 · ‎07-06-2016

All,

I have the following little JSON dump which works perfectly out of the box. But for best practices I was writing out my entire props.conf.

[root@SERVER bin]# ./callstatus.sh 
{
   "current": {
      "health": 1,
      "subject": "Facebook Platform is Healthy"
   },
   "push": {
      "status": "Complete",
      "updated": "2016-07-05T15:58:37-07:00",
      "id": 61595219
   }

When I set this, it works fine.

[facebook:curl:status]
# Index time extractions
KV_MODE=json

But once I add the CURRENT to the time the event gets weirdly line broken.

[facebook:curl:status]
# Index time extractions
KV_MODE=json
DATETIME_CONFIG=CURRENT

Any ideas why DATETIME_CONFIG=CURRENT is breaking it?

woodcock · ‎07-06-2016

This is documented:

http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Configuretimestamprecognition

Note: Both CURRENT and NONE explicitly disable timestamp identification, so the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely not to work as desired.
When using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* , MUST_BREAK_* settings to control event merging.

View solution in original post

woodcock · ‎07-06-2016

This is documented:

http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Configuretimestamprecognition

Note: Both CURRENT and NONE explicitly disable timestamp identification, so the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely not to work as desired.
When using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* , MUST_BREAK_* settings to control event merging.

Can you tell me what I am doing wrong with my props.conf for this JSON file?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk