Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- how to set TIME_PREFIX for a json file?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a JSON file like this.
{
"ACC_NAME": "A",
"DEPT": [{
"NAME": "D1",
"PROJECT": [{
"P_NAME": "xyz",
"START_DATE": "1/5/2020 5:01:00",
"END_DATE": "1/31/2020 7:21:32",
"STATUS": "PASS"
}]
}]
}
I have been trying to set TIME_PREFIX and it's not working. As you can see there are two dates.When I set TIME_PREFIX= START_DATE i got time stamp error. How can i set TIME_PREFIX so that both the dates are included?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since you are trying to set timestamp for the events, you can try below configuration.
[_json]
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false
TIMESTAMP_FIELDS = DEPT.PROJECT.START_DATE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since you are trying to set timestamp for the events, you can try below configuration.
[_json]
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false
TIMESTAMP_FIELDS = DEPT.PROJECT.START_DATE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @manjunathmeti , thank you so much!!! It is working, and i am getting all the fields of the json file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @anooshac, try below by escaping special characters-
TIME_PREFIX= \"START_DATE\": \"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also provide Time_format as per your time format is like below-
TIME_FORMAT=%d/%m/%Y %H:%M:%S
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi i tried that and i'm still getting as "Failed to parse timestamp". How can i include the END_DATE aslo?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Timestamp is assigned with only one field either START_DATE or END_DATE .
Can you share your props.conf ? (in code block)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[_json]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
disabled = false
TIME_FORMAT = %m/%d/%Y %H:%M:%S %z
TIME_PREFIX = \"START_DATE\": \"
MAX_TIMESTAMP_LOOKAHEAD = 128
BREAK_ONLY_BEFORE_DATE =
This is props.conf file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LINE_BREAKER = ([\r\n]+)
your JSON is one line?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @to4kawa , no my json is not a one line file.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
