Getting Data In

Timestamp preview different than timestamp in search for my json

hvaithia
Path Finder

here is my props.conf

[json_no_timestamp_new]
INDEXED_EXTRACTIONS = json
KV_MODE = json
TIMESTAMP_FIELDS = timestamp
TIME_FORMAT = %s%3N
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 512
description = JavaScript Object Notation
category = Structured
disabled = false
pulldown_type = true

I tried to attached the preview from splunk and data coming from splunk forwarder but I am not able to do so...

0 Karma
1 Solution

hvaithia
Path Finder

[json_timestamp]
INDEXED_EXTRACTIONS = json
TIME_FORMAT = %s%3N

TIMESTAMP_FIELDS = timestamp

TIME_PREFIX = timestamp
SHOULD_LINEMERGE = false
description = JavaScript Object Notation
category = Structured
disabled = false
pulldown_type = true

This is the props that worked out for me finally if anyone is interested in the future. TIMESTAMP_FIELDS didn't unfortunately work with the forwarder (although it worked in the data preview)

View solution in original post

0 Karma

hvaithia
Path Finder

[json_timestamp]
INDEXED_EXTRACTIONS = json
TIME_FORMAT = %s%3N

TIMESTAMP_FIELDS = timestamp

TIME_PREFIX = timestamp
SHOULD_LINEMERGE = false
description = JavaScript Object Notation
category = Structured
disabled = false
pulldown_type = true

This is the props that worked out for me finally if anyone is interested in the future. TIMESTAMP_FIELDS didn't unfortunately work with the forwarder (although it worked in the data preview)

0 Karma

hvaithia
Path Finder

The event starts with {"building":
Sample event below
{"building": false, "changeSet": {"items": [], "kind": null}, "builtOn": "rhel6", "description": null, "artifacts": [], "timestamp": 1430241584496, "number": 13, "actions": [{"causes": [{"upstreamBuild": 14, "shortDescription": "Started by upstream project \"answers\" build number 14", "upstreamProject": "answers", "upstreamUrl": "job/answers/"}]}, {}, {}, {}, {}, {"highlightsData": "[{\"Previous Job\":\"answers#14\"},{\"Previous Job\":\"answers_se\"},{\"Build host\":\"rhel6\"}]", "highlightsTable": "<h4>Global Patterns</h4><b>Previous Job:</b><b>Started by <a href="/hudson/job/answers/14/">answers</a></b><b>Previous Job:</b><b>Started by <a href="/hudson/job/answers/8/">answers #8</a></b><b>Build host:</b><b>Built on <a href="/hudson/computer/rhel6/">rhel6</a></b>"}], "id": "2015-04-28_17-19-44", "keepLog": false, "url": "http://thefactory.xyz.com:9999/jenkins/job/answers/13/", "culprits": [], "result": "SUCCESS", "executor": null, "duration": 377658, "fullDisplayName": "answers", "estimatedDuration": 298415}

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...