I have a JSON file with two timestamps. How do I e...

anilchaithu · ‎11-24-2016

I have a JSON file with two timestamps. I would like to extract the second timestamp (highlighted in bold). I have tried props.conf configuration file in indexer as given below

props.conf

KV_MODE=none
TIME_PREFIX = 
MAX_TIMESTAMP_LOOKAHEAD=100

sample file

[
{
"ApproximateArrivalTimestamp": "2016-11-01 13:43:29.857000+00:00",
"Data": "{\"id\":\"9598390425884735158\",\"packetType\":\"sSns\",\"projectId\":845,\"adapterId\":\"1087\",\"time\":30095764,\"gid\":\"01:d8:95:24:ef:56:aa\",\"version\":\"1\",\"timestamp\":\"2016-11-07T13:43:29.316Z\",\"adapterType\":\"Blufi\",\"battery\":3630,\"temp\":25.0,\"eventCounter\":[3864,2797,237,2263,0,0],\"xAccel\":-0.95703125,\"yAccel\":0.08203125,\"zAccel\":0.046875}",
"PartitionKey": "p:845:b:1087",
"SequenceNumber": "49560220030257590074301033785634074783409781971940802562"
}
]

gokadroid · ‎11-25-2016

If you have that many \ in the data to escape the " then you can try putting following in TIME_PREFIX which should point it to the appropriate string you are interested in.

TIME_PREFIX = \\\"timestamp\\\":\\\"

I have a JSON file with two timestamps. How do I edit props.conf to extract the second timestamp?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation