I have a JSON file with two timestamps. How do I e...

anilchaithu · ‎11-24-2016

I have a JSON file with two timestamps. I would like to extract the second timestamp (highlighted in bold). I have tried props.conf configuration file in indexer as given below

props.conf

KV_MODE=none
TIME_PREFIX = 
MAX_TIMESTAMP_LOOKAHEAD=100

sample file

[
{
"ApproximateArrivalTimestamp": "2016-11-01 13:43:29.857000+00:00",
"Data": "{\"id\":\"9598390425884735158\",\"packetType\":\"sSns\",\"projectId\":845,\"adapterId\":\"1087\",\"time\":30095764,\"gid\":\"01:d8:95:24:ef:56:aa\",\"version\":\"1\",\"timestamp\":\"2016-11-07T13:43:29.316Z\",\"adapterType\":\"Blufi\",\"battery\":3630,\"temp\":25.0,\"eventCounter\":[3864,2797,237,2263,0,0],\"xAccel\":-0.95703125,\"yAccel\":0.08203125,\"zAccel\":0.046875}",
"PartitionKey": "p:845:b:1087",
"SequenceNumber": "49560220030257590074301033785634074783409781971940802562"
}
]

gokadroid · ‎11-25-2016

If you have that many \ in the data to escape the " then you can try putting following in TIME_PREFIX which should point it to the appropriate string you are interested in.

TIME_PREFIX = \\\"timestamp\\\":\\\"

I have a JSON file with two timestamps. How do I edit props.conf to extract the second timestamp?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

I have a JSON file with two timestamps. How do I edit props.conf to extract the second timestamp?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases