Json parsing - Failed to parse timestamp

gobinspam · ‎03-07-2016

I'm trying to parse the following json input. I'm getting the data correctly indexed but I am also getting a warning.

WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event

{
  "events":[
    {
      "a":"057.00E09037A",
      "b":"cdw",
       "c":"1.2.7.7",
       "d":"192.168.1.0",
       "date":"2015-12-14T23:25:24.539Z"
    },
    {
      "a":"057.00E09037A",
      "b":"cdw",
       "c":"1.2.7.7",
       "d":"192.168.1.0",
       "date":"2015-12-14T23:25:24.542Z"
    }
  ]
}

Here is the configuration in my props.conf file:
[sample:events]
BREAK_ONLY_BEFORE = ({|[\s+{)
BREAK_ONLY_BEFORE_DATE = false
MUST_BREAK_AFTER = (}|}\s+])
NO_BINARY_CHECK = true
SEDCMD-remove_footer = s/]\s+}//g
SEDCMD-remove_header = s/({\s+.+?[)//g
SEDCMD-remove_trailing_commas = s/},/}/g
category = Custom
disabled = false
pulldown_type = true

Is there something in the props.conf file that I can do to avoid this warning.

somesoni2 · ‎03-07-2016

There are no timestamp recognition related configurations in your sourcetype. For better indexing performance, you should configure both event breaking and timestamp recognition configs in your sourcetype. Add following to your current props.conf under your sourcetype

TIME_PREFIX = date\":\"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%N
MAX_TIMESTAMP_LOOKAHEAD = 23

gobinspam · ‎03-07-2016

Thanks @somesoni2

I have tried adding these fields. It still gives me the same warning.

somesoni2 · ‎03-07-2016

Just to be sure, this props.conf is on Indexer/Heavy forwarders.

gobinspam · ‎03-07-2016

Yes this is on the heavy forwarder. I have also tried manually loading the json content and applying the sourcetype configuration.

Json parsing - Failed to parse timestamp

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM