Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Json parsing - Failed to parse timestamp
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Json parsing - Failed to parse timestamp
Hi all,
I'm quite new to splunk. I've been testing the manual upload of the following json file to splunk enterprise. However, I'm getting the error "Failed to parse timestamp" so I'm guessing it's unable to read the timestamp that is available in the json file "date_time". Would anyone be able to help me with this issue, also I am unable to alter the config file (etc/...) so hopefully the solution can be done through the web UI.
JSON input file:
{
"SVP": {
"rcc": {
"application": {
"ICE13": {
"hostname": "218",
"domain": "rc",
"app_id": "13",
"version": "413",
"date_time": "29/05/2021"
},
"ICE1": {
"hostname": "lnxau2004st0218",
"domain": "rcc",
"app_id": "1",
"version": "413",
"date_time": "31/05/2021",
"UPP": {
"hostname": "218",
"domain": "rc",
"version": "null",
"date_time": "29/05/2021"
}
}
},
"utility": {
"ICE13": {
"Ctl.sh": {
"hostname": "218",
"domain": "rc",
"version": "144",
"date_time": "29/05/2021"
}
},
"ICE1": {
"Ctl.sh": {
"hostname": "218",
"domain": "rc",
"version": "144",
"date_time": "31/05/2021"
}
},
"ICE5": {
"Ctl.sh": {
"hostname": "218",
"domain": "rc",
"version": "144",
"date_time": "30/05/2021"
}
},
"ICE9": {
"Ctl.sh": {
"hostname": "218",
"domain": "rc",
"version": "144",
"date_time": "31/05/2021"
}
},
"ICE11": {
"Ctl.sh": {
"hostname": "219",
"domain": "rc",
"version": "140",
"date_time": "30/05/2021"
}
}
}
}
}
}
Thanks for any and all help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are the props.conf settings for that sourcetype?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My props.configs file looks like this:
"SVP": {
"rcc": {
"application": {
"ICE13": {
"hostname": "218",
"domain": "rc",
"app_id": "13",
"version": "413",
"date_time": "29/05/2021"
}
With the next event containing:
"ICE1": {
"hostname": "lnxau2004st0218",
"domain": "rcc",
"app_id": "1",
"version": "413",
"date_time": "31/05/2021"
with the Application, rcc and SVP upper level keys also attached.
Essentially every object that has a data_time attribute, it should be turned its own independent event that should be able to be categorised based on the keys. E.g. Filtering based on "application" whilst within SVP.rcc
Is this possible? Is it overcomplicating and consequently should the data structure be altered?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Event Series: Splunk Observability Metrics Cost Optimization
Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...
Deep insights, no barriers: Splunk Observability Cloud Free Edition
