Solved: JSON _time not always extracted ?

jeanmatthieu · ‎10-31-2014

Hi,

I'm running Splunk 6.1.4 and I send JSON documents through a TCP port.
I have a JSON document as follow and no specific TZ settings in my props.conf

{
     // ...
     "_time":"2014-11-01T02:17:34.712Z",
    // ...
}

Sometimes, the _time field within the document is used as the Time of the event.
Other times, _time is transformed to a regular time field and another (random) Time fields is used.

Using the above example it is not uncommon to see Time set to 11/01/14 02:17:34.000
but I also encountered the weirdest date such as 10/09/06 12:00:00.000.

Any idea what might be up please?
Thanks!

jeanmatthieu · ‎10-31-2014

Either setting MAX_TIMESTAMP_LOOKAHEAD = 0 or ensuring timestamp field is always the first field of the JSON document sorted my issue.

View solution in original post

jeanmatthieu · ‎10-31-2014

Either setting MAX_TIMESTAMP_LOOKAHEAD = 0 or ensuring timestamp field is always the first field of the JSON document sorted my issue.

JSON _time not always extracted ?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

JSON _time not always extracted ?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...