Onboarding json data - please help

rwrettig · ‎04-28-2019

In a testing environment and can't get ride of this annoying triangle (Failed to parse timestamp. Defaulting to file modtime).

Here is a copy of my data:

{
"Phone_Number": "315-788-5129 x1967",
"First_Name": "Alvera",
"Last_Name": "Beier",
"User_Id": 0,
"Country": "Bahamas",
"ZipCode": "75876",
"Full_Name": "Hans Volkman",
"IP": "191.223.4.118",
"Date": "1997-06-14T02:06:55.205Z",
"Domain": "jevon.us",
"Email": "Rosemarie@kristian.ca"
}

And here is a copy of my last props.conf

description=JavaScript Object Notation format. For more information, visit http://json.org/
disabled=false
pulldown_type=true
LINE_BREAKER=([\r\n]+)
TIME_FORMAT=strptime(%Y-%m-%dT%H:%M:%S.%3QZ)
TIMESTAMP_FIELDS=field10
TIME_PREFIX="DATE" : \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z
TRUNCATE=999999

richgalloway · ‎04-28-2019

You appear to be working with a few misconceptions.

TIME_FORMAT is just a format string. Functions are not processed, but are considered part of the time string.
TIME_PREFIX should be the text that comes before the timestamp. It is also a literal string.
TIMESTAMP_FIELDS doesn't apply since you are not using INDEXED_EXTRACTIONS.

Try these settings:

description=JavaScript Object Notation format. For more information, visit http://json.org/
disabled=false
pulldown_type=true
LINE_BREAKER=([\r\n]+)
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3NZ
TIME_PREFIX="DATE" : "
TRUNCATE=999999

---
If this reply helps you, an upvote would be appreciated.

Onboarding json data - please help

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.Find out what your skills are worth! Read the report >

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!

Read the report >