_JSON sourcetype indexing data - timestamp recogni...

himynamesdave · ‎03-26-2015

Hi all,

I am attempting to index a .json formatted file. Using the Splunk data checker, the fields are all extracted nicely using _JSON sourcetype (well done Splunk).

In my events there is a field named, "field.timestamp", that contains an epoch timestamp (13 digits) i want to use for the timestamp (no timestamp is recognised by default).

Here's a raw event:

{"field":{"timestamp":"1429306200000"}}

If I specify the field "field.timestamp" to Splunk as the field where the timestamp resides it still does not recognise any timestamp.

What would be a good way to extract this timestamp?

aaronkorn · ‎03-26-2015

The settings actually work. If you noticed, your timestamp is in the future...

1429306200000 equates to Fri, 17 Apr 2015 21:30:00 GMT

himynamesdave · ‎03-26-2015

i'm an idiot - thankyou!

himynamesdave · ‎03-26-2015

I have also tried setting "TIME_FORMAT = %s%3N" (13 digit epoch millisecond) which also fails

_JSON sourcetype indexing data - timestamp recognition

Get Operational Insights Quickly with Natural Language on the Splunk Platform

Stay Connected: Your Guide to August Tech Talks, Office Hours, and Webinars!

Unleash the Power of Splunk MCP and AI, Meet Us at .Conf 2025, and Find Even More New ...

Are you a member of the Splunk Community?

_JSON sourcetype indexing data - timestamp recognition

Get Operational Insights Quickly with Natural Language on the Splunk Platform

Stay Connected: Your Guide to August Tech Talks, Office Hours, and Webinars!

Unleash the Power of Splunk MCP and AI, Meet Us at .Conf 2025, and Find Even More New ...