Timestamp extraction failed if no INDEXED_EXTRACTI...

emallinger · ‎07-08-2021

Hello,

On a monoinstance Splunk, I'd like to ingest some simple JSON data :

 { 
   GDH: 2021-07-08 16:54:00.617222
   action: )reV[viZpy)4noHQFhs7;)*!wHlRaY3mo4R(o6,
   dossier: FR668CORG2021078979348557
   id: 4000000
   ident: 267987
   ip: 10.226.689.32
   org: PN
   service: 3647971
   telephone: +33672108802
}

I'd like to use only KV_mode, without indexed_extractions = json.

Here's my sourcetype :

[data_kvm_json]
DATETIME_CONFIG =
KV_MODE =
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = GDH
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%6N
category = Structured
description = sourcetype - kv_mode extraction
disabled = false
pulldown_type = true
NO_BINARY_CHECK = true

Here's the result :

The event is indexed at the time of the ingestion, not the event date wich is is GDH field.

I have several sourcetypes on another environnement (clustered IDX + SH), where this positionned in props.conf on indexer cluster works fine.

Is this a consequence of the architecture being only a mono-instance ?

What did I miss ?

Thanks,

Regards,

Eglantine

emallinger · ‎07-08-2021

Hi,

no luck.. same results in the UI (tried with "" and not) :

Thanks for the suggestion anyway.

Regards,

Ema

richgalloway · ‎07-08-2021

Try adding TIME_PREFIX = GDH: to props.conf

---
If this reply helps you, Karma would be appreciated.

Timestamp extraction failed if no INDEXED_EXTRACTION=json on props.conf

sourcetype

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor