Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

JSON with Timestamp (syslog)

poisar
Explorer
‎08-13-2020 03:59 AM

Hello,

i am getting the following json via syslog and i ingest it to splunk.

Aug 13 12:45:40 10.200.7.200 {"Status": "Failed", "Received": "2020-08-13T10:45:07.2887421", "ToIP": null, "StartDate": "2020-08-13T10:44:39.530583Z", "Index": 2, "EndDate": "2020-08-13T10:45:39.530583Z", "FromIP": "2603:10a6:803:67::17"}

 

i want to extract the json data. So i created a new app on my searchhead with a props.conf for my custom sourcetype:

[security:type]
TIME_PREFIX = "Received":\s*"
# SEDCMD-strip_prefix = s/^[^{]+//g
SEDCMD-StripHeader = s/^[^\{]+//
INDEXED_EXTRACTIONS=JSON
KV_MODE=json
TZ = UTC

 

still it doesnt extract the json data. Can someone help me out?

 

thanks in advance!

Andreas

Labels (2)
Labels
Tags (1)
0 Karma
Reply

poisar
Explorer
‎08-13-2020 05:46 AM

Putting the props.conf on the indexer fixed my issue.

 

 

0 Karma
Reply
Get Updates on the Splunk Community!