Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

JSON data with date not indexed

osec2a
New Member
‎08-31-2017 01:06 AM

Hi,

I am trying to index JSON data but Splunk refused to index it and I have no errors in logs.
The format of my data is : 

{"test1":"2017-08-31", "test2":"12.34.56"}

I tried many format :

{"test1":"2017-08-31", "test2":"12.34.56"}" => not indexed
{"test1":"12.34.56", "test2":"2017-08-31"}" => not indexed
{"test1":"2017-08-31", "test2":2017/08/3"}"  = > indexed successfully
{"test1":"2017.08.31", "test2":17.08.3"}" => indexed successfully
{"test1":"2017_08_31", "test2":17.08.3"}"  => indexed successfully

Why Splunk doesn't want to index my JSON with these data :

{"test1":"2017-08-31","test2":"12.34.56"}

Thanks for your help

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎08-31-2017 07:20 AM

If you explicitly set the data format to be %Y-%m-%d, does it work in all cases? (props.conf) I suspect that by default Splunk is probably looking at 12.34.56 as a date string, and if it falls outside the range of the date you are looking at, or it is prior to 1970 (I'm assuming that 12.34.56 is a made up piece of data, but I have nothing else to go on), then you are not going to find it in your search or it is too old to be properly indexed.

Also, though it is probably just a typo, your JSON data in your example data is bogus JSON. It probably should look like this:

{"test1":"2017-08-31", "test2":"12.34.56"} => not indexed
{"test1":"12.34.56", "test2":"2017-08-31"} => not indexed
{"test1":"2017-08-31", "test2":"2017/08/3"}  = > indexed successfully
{"test1":"2017.08.31", "test2":"17.08.3"} => indexed successfully
{"test1":"2017_08_31", "test2":"17.08.3"}  => indexed successfully
0 Karma
Reply

niketn
Legend
‎08-31-2017 03:12 AM

@osec2a, I tried adding {"test1":"2017-08-31", "test2":"12.34.56"} and it worked fine for me.

I had done Single File Upload in preview mode and I just created my Custom Sourcetype under "Search & Reporting App" with index="main".

The data looked good in preview mode as well as after adding to index in Splunk Search.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

osec2a
New Member
‎08-31-2017 04:57 AM

My data are outputed by python script.
My script output is json data.
When the script output is {"test1":"2017-08-31", "test2":"12.34.56"}, data are not indexed, but when I delete the dot ".", data are indexed.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...