Getting Data In

Timestamp preview different than timestamp in search for my json

hvaithia
Path Finder

here is my props.conf

[json_no_timestamp_new]
INDEXED_EXTRACTIONS = json
KV_MODE = json
TIMESTAMP_FIELDS = timestamp
TIME_FORMAT = %s%3N
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 512
description = JavaScript Object Notation
category = Structured
disabled = false
pulldown_type = true

I tried to attached the preview from splunk and data coming from splunk forwarder but I am not able to do so...

0 Karma
1 Solution

hvaithia
Path Finder

[json_timestamp]
INDEXED_EXTRACTIONS = json
TIME_FORMAT = %s%3N

TIMESTAMP_FIELDS = timestamp

TIME_PREFIX = timestamp
SHOULD_LINEMERGE = false
description = JavaScript Object Notation
category = Structured
disabled = false
pulldown_type = true

This is the props that worked out for me finally if anyone is interested in the future. TIMESTAMP_FIELDS didn't unfortunately work with the forwarder (although it worked in the data preview)

View solution in original post

0 Karma

hvaithia
Path Finder

[json_timestamp]
INDEXED_EXTRACTIONS = json
TIME_FORMAT = %s%3N

TIMESTAMP_FIELDS = timestamp

TIME_PREFIX = timestamp
SHOULD_LINEMERGE = false
description = JavaScript Object Notation
category = Structured
disabled = false
pulldown_type = true

This is the props that worked out for me finally if anyone is interested in the future. TIMESTAMP_FIELDS didn't unfortunately work with the forwarder (although it worked in the data preview)

0 Karma

hvaithia
Path Finder

The event starts with {"building":
Sample event below
{"building": false, "changeSet": {"items": [], "kind": null}, "builtOn": "rhel6", "description": null, "artifacts": [], "timestamp": 1430241584496, "number": 13, "actions": [{"causes": [{"upstreamBuild": 14, "shortDescription": "Started by upstream project \"answers\" build number 14", "upstreamProject": "answers", "upstreamUrl": "job/answers/"}]}, {}, {}, {}, {}, {"highlightsData": "[{\"Previous Job\":\"answers#14\"},{\"Previous Job\":\"answers_se\"},{\"Build host\":\"rhel6\"}]", "highlightsTable": "<h4>Global Patterns</h4><b>Previous Job:</b><b>Started by <a href="/hudson/job/answers/14/">answers</a></b><b>Previous Job:</b><b>Started by <a href="/hudson/job/answers/8/">answers #8</a></b><b>Build host:</b><b>Built on <a href="/hudson/computer/rhel6/">rhel6</a></b>"}], "id": "2015-04-28_17-19-44", "keepLog": false, "url": "http://thefactory.xyz.com:9999/jenkins/job/answers/13/", "culprits": [], "result": "SUCCESS", "executor": null, "duration": 377658, "fullDisplayName": "answers", "estimatedDuration": 298415}

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...