Solved: Re: Multiple timestamp fields with same field name

wwhite12 · ‎05-14-2020

I have some json data events that has multiple "date" fields. The date field I am looking to use as my timestamp comes at the end of every event and it appears that Splunk is using whichever date field it reads first. Is there a way to specify which date field to use? The fields are in different time formats and even though I am specifying the time format for epoch time, it still appears to be incorrectly reading the first timestamp.

props.conf:
[sourcetype]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
AUTO_KV_JSON=false
CHARSET=UTF-8
INDEXED_EXTRACTIONS=json
KV_MODE=none
TRUNCATE=20000
category=Structured
description=JavaScript Object Notation format. For more information, visit http://json.org/
disabled=false
pulldown_type=true
TIME_PREFIX="date":+
TIME_FORMAT=%s%3N
MAX_TIMESTAMP_LOOKAHEAD=13

Data Sample:
{"message”:”[messageType] This is a message",”type":"IntegrationLog","level":"WARN","details":{"_incomingData":{"_parsedData":{"hostNotificationNumber":"1","date":"2020-04-01”},”dateType”:”blah”,”integrationName”:”blahblahblah”,”incomingDataId”:”xxxxxxxxxxxxxxx”}},”date":1585775200775}

richgalloway · ‎05-14-2020

Can you be more specific with TIME_PREFIX? Perhaps }, "date":?

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎05-14-2020

Can you be more specific with TIME_PREFIX? Perhaps }, "date":?

---
If this reply helps you, Karma would be appreciated.

wwhite12 · ‎05-14-2020

nailed it. Also weird to note, this was initially not working until I removed the plus sign from the TIME_PREFIX config. Once I removed that everything looks good.

Multiple timestamp fields with same field name

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!