Getting Data In

How to get the indexed stamp in the splunk logs

rishma
Explorer

Hi,

I have logs format like :
{"guid": "ABC", "type": "email", "value": "email", "session": "sessioid", "service": "HTTP", "created": "2019-11-07T22:41:28.682+00:00", "remote_host": "ip"}

I want to get the timestamp for indexing based on "created" field and want tp show it during search results under _time.

I used the below props.conf :
[sourcetype]
TIME_PREFIX = "created":\s"
KV_MODE=JSON
INDEXED_EXTRACTIONS=JSON
TZ=UTC
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%z
MAX_TIMESTAMP_LOOKAHEAD = 1000

But its not working. Please guide.

Thanks,

Tags (1)
0 Karma

manjunathmeti
Champion

You can try just using TIMESTAMP_FIELDS, ignore other attributes (TIME_PREFIX, TZ, TIME_FORMAT, MAX_TIMESTAMP_LOOKAHEAD). And also attribute KV_MODE is not required during indexed time field extractions.

[sourcetype]
INDEXED_EXTRACTIONS = json
KV_MODE = none
TIMESTAMP_FIELDS = created
0 Karma

rishma
Explorer

Tried this too. But same response.

0 Karma

rishma
Explorer

Tried changing the entries to :

TIME_PREFIX=\"created\":\s\"
KV_MODE=JSON
INDEXED_EXTRACTIONS=JSON
TZ=UTC
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%:z
MAX_TIMESTAMP_LOOKAHEAD = 100

as well as :

TIME_PREFIX="created":\s"
KV_MODE=JSON
INDEXED_EXTRACTIONS=JSON
TZ=UTC
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%:z
MAX_TIMESTAMP_LOOKAHEAD = 100

and

TIME_PREFIX=\"created\":\s\"
KV_MODE=JSON
INDEXED_EXTRACTIONS=JSON
TZ=UTC
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%z
MAX_TIMESTAMP_LOOKAHEAD = 100

None of the above worked.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%:z

---
If this reply helps you, Karma would be appreciated.
0 Karma

rishma
Explorer

Tried it. But same response.

0 Karma

dflodstrom
Builder

Have you tried escaping the quotation marks in your TIME_PREFIX ?

TIME_PREFIX = \"created\":\s\"
0 Karma

rishma
Explorer

Tried it. Same response.

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...