Solved: How to assign custom JSON field with epoch time as... - Page 2

akhanVG · ‎02-25-2015

We are inputting JSON fields to splunk. One of the fields eventTime should be the event time for the index.

{
    browserType:  Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B466 Safari/600.1.4 
    campaignLocation:  null 
    campaignName:  null 
    currentPage:  /test
    eventBy:  application 
    eventName:  pageLoad 
    eventSource:  frontend 
    eventTime:  1424822395 
    ipAddress:  127.1.1.1:45770 
    isMobile:  true 
    referrer:  http://tfdf.dfdf.com
    sessionId:  null 
    userId:  null 
}

The eventTime is in millisecond format (UTC)

This is what the JSON value looks like raw in the log file

{"browserType":"Mozilla/5.0 (Linux; Android 5.0; SM-G900V Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.109 Mobile Safari/537.36","campaignLocation":null,"campaignName":null,"currentPage":"/dfd6","eventBy":"application","eventName":"pageLoad","eventSource":"frontend","eventTime":"1424822393","ipAddress":"192.168.1.1:58674","isMobile":true,"referrer":"http:dfsdf,"sessionId":null,"userId":null}

s2_splunk · ‎02-25-2015

OK, your complete props.conf for this sourcetype as it exists on the indexer needs to look like this (assuming every event is on its own line):

[hermes]
TIME_PREFIX=eventTime:\s+
TIME_FORMAT=%s
KV_MODE=json

If your timestamp is not in fact an epoch time, but milliseconds, try
TIME_FORMAT=%s%3N

If you can't get it to work, I suggest you use the DataPreview tool in the Splunk UI, but this is very straightforward.

View solution in original post

How to assign custom JSON field with epoch time as the timestamp for events?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!