Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with props.conf for timestamp

vrmandadi
Builder
‎03-25-2020 12:48 PM

Hello All ,

I have a json data format , which I am trying to import into splunk .I want to extract the timestamp from the last field value a multivalue field .For instance there is a field called appid which is a multivalue field with values 1573503539877 , 1573503539875,1573503539878,1573503539873 .I want to make the last value as the timestamp .

The last timestamp for the multivalue field appid has the following format with closed flower brackets and a square bracket but the others have just a flower bracket

MULTIVALUE FIELD "APPID" -first event
apps: [ [-]
{ [-]
addedById: 5d013c468
appId: 5d0d1fc13d418bdf5
dateAdded: /Date(1573503009489)/

MULTIVALUE FIELD APPID-last value which needs to be extracted
addedById: 398
appId:ccaaadb
dateAdded: /Date(1584128055615)/
}
]

alt text

Preview file
39 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vrmandadi
Builder
‎03-25-2020 02:32 PM

This worked.

[ alt ]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=JSON
KV_MODE=JSON
LINE_BREAKER=([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD=60
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TRUNCATE=10000
category=Structured
description=JavaScript Object Notation format. For more information, visit http://json.org/
disabled=false
pulldown_type=true
TIME_PREFIX=(Date()\d+)\\/\"}]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

vrmandadi
Builder
‎03-25-2020 02:32 PM

This worked.

[ alt ]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=JSON
KV_MODE=JSON
LINE_BREAKER=([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD=60
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TRUNCATE=10000
category=Structured
description=JavaScript Object Notation format. For more information, visit http://json.org/
disabled=false
pulldown_type=true
TIME_PREFIX=(Date()\d+)\\/\"}]

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎03-25-2020 02:25 PM 
[alt ]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=none
KV_MODE=JSON
LINE_BREAKER=([\r\n]+){
MAX_TIMESTAMP_LOOKAHEAD=1000
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
TRUNCATE=0
category=Structured
description=JSON
disabled=false
pulldown_type=true
TIME_PREFIX=.*Date\(
TIME_FORMAT=%s%3N

INDEXED_EXTRACTIONS OR KV_MODE should be set only one.
If LINE_BREAKER is good, TIME_PREFIX 's REGEX match greedy.
so, latest Date match _time

0 Karma
Reply
Solved! Jump to solution

darrenfuller
Contributor
‎03-25-2020 01:59 PM

I am making a guess at how the raw json looks... but since the raw JSON will be all on one line with no carriage returns. try something like so in your props.conf: 

TIME_PREFIX = (dateAdded:\s\/Date\()\d+\)\/\}\]
TIME_FORMAT = %s%3N
MAX_TIMESTAMP_LOOKAHEAD = 25

The regex is looking for a dateAdded: /Date(1234567891234) followed by the end strings of your event : }]

https://regex101.com/r/918sTd/1

Hope this helps...

.//D

0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎03-25-2020 02:10 PM

Thank You @darrenfuller for your reply . I tried the props you told me but that did not work .

[alt ]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=JSON
KV_MODE=JSON
LINE_BREAKER=([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD=25
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TRUNCATE=10000
category=Structured
description=JavaScript Object Notation format. For more information, visit http://json.org/
disabled=false
pulldown_type=true
TIME_PREFIX=(dateAdded:\s\/Date()\d+)\/}]
TIME_FORMAT=%s%3N

I am pasting the raw format of data how it looks like.the one in bold before collection id is what I am looking at

"dateAdded":"\/Date(1576263356219)\/"},{"addedById":"5d013cd01758d3c468","appId":"5d013d418c2cf","dateAdded":"\/Date(1576263482497)\/"},{"addedById":"5d013cd013c468","appId":"5d35d43d17588644c6c25","dateAdded":"\/Date(1576263489027)\/"},{"addedById":"5d013cd084d3c468","appId":"5e5dc7827acaa","dateAdded":"\/Date(1583177463548)\/"},{"addedById":"5d013cd01d3c468","appId":"5e5d5c7827af0c","dateAdded":"\/Date(1583177467959)\/"}],"collectionId"

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...