Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract event timestamp from json log file at index time?

aenache
Engager
‎11-09-2015 08:18 AM

I'm trying to extract timestamps for log events that I am forwarding to Splunk as json log files, and instead of getting the date correctly from inside the json, Splunk seems to get the timestamp from the log file's Date Modified. (that's the only datetime that matches, isn't that weird?)

The json is properly formatted and validated, and is serialised to string using the Json.NET JsonConvert, so my json around the datetime looks like this:

"Request": {
  "TimestampUtc": "2015-11-09T14:33:53.3239117Z",
  "Headers": {

I set sourcetype=_json for my UniversalForwarder in the inputs.conf file for Splunk_TA_windows, monitoring a directory on my hard drive. Logfile names have the format service.log.json, and the TimestampUtc property is on the 10th line, about 140 characters in inside the object.

On the Splunk server, the default props.conf has

[_json]
pulldown_type = true
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false
category = Structured

and the local props.conf has

[_json]
INDEXED_EXTRACTIONS = json
pulldown_type = true
KV_MODE = none
AUTO_KV_JSON = false
#TIMESTAMP_FIELDS = TimestampUtc
TIME_PREFIX=/"TimestampUtc": "/
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%7N%Z
#TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD = 27
category = Structured

Can someone point me to the right configuration for this extraction? I have tried a multitude of combinations but without success.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aenache
Engager
‎11-17-2015 07:47 AM

Fixed! I needed to move the datetime property at the top level in the json object. Kept the same configuration settings.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

aenache
Engager
‎11-17-2015 07:47 AM

Fixed! I needed to move the datetime property at the top level in the json object. Kept the same configuration settings.

0 Karma
Reply
Solved! Jump to solution

bharat1478
New Member
‎02-02-2016 06:28 AM

But it looks like your timestamp field was already at the top of the json object ?
"Request": {
"TimestampUtc": "2015-11-09T14:33:53.3239117Z",
"Headers": {

Where exactly did you move it to ?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...