Solved: JSON _time not always extracted ?

jeanmatthieu · ‎10-31-2014

Hi,

I'm running Splunk 6.1.4 and I send JSON documents through a TCP port.
I have a JSON document as follow and no specific TZ settings in my props.conf

{
     // ...
     "_time":"2014-11-01T02:17:34.712Z",
    // ...
}

Sometimes, the _time field within the document is used as the Time of the event.
Other times, _time is transformed to a regular time field and another (random) Time fields is used.

Using the above example it is not uncommon to see Time set to 11/01/14 02:17:34.000
but I also encountered the weirdest date such as 10/09/06 12:00:00.000.

Any idea what might be up please?
Thanks!

jeanmatthieu · ‎10-31-2014

Either setting MAX_TIMESTAMP_LOOKAHEAD = 0 or ensuring timestamp field is always the first field of the JSON document sorted my issue.

View solution in original post

jeanmatthieu · ‎10-31-2014

Either setting MAX_TIMESTAMP_LOOKAHEAD = 0 or ensuring timestamp field is always the first field of the JSON document sorted my issue.

JSON _time not always extracted ?

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Are you a member of the Splunk Community?

JSON _time not always extracted ?

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...