timestamp field to be configured with json field ...

hashsplunk · ‎02-24-2021

data: { [-]
     DESC: Documentation for subsetted study data for iDAP Request INT-20200527-421
     DE_IDENTIFICATION_DATE: 2020-07-16
     EXCLUDED_COUNTRIES: null
     ID: 4849
     IS_OBSOLETE: false
     LOCATION: root/data_reuse/d848/d8480c00051/ar/shared/adam/doc/idap_20200716
     REMOVED_DUE_TO_COUNTRY_REMOVAL: null
     REPORTING_LOCATION_ID: 18495
     REUSE_LOCATION_CATEGORY_ID: 2
     REUSE_LOCATION_DATA_CATEGORIES: [ [+]
     ]}

I want the timestamp field to be data.DE_IDENTIFICATION_DATE to set in props.conf

INDEXED_EXTRACTIONS = JSON
TIMESTAMP_FIELDS = date
TIME_FORMAT = %Y%m%d
TZ = UTC
detect_trailing_nulls = auto
SHOULD_LINEMERGE = false
description = My source type
pulldown_type = true
disabled = false
KV_MODE = none
AUTO_KV_JSON = false
TIMESTAMP_FIELDS=DE_IDENTIFICATION_DATE

I have given above settings in my props.conf . Please suggest the write way of mentioning the json data value

to4kawa · ‎03-01-2021

TIME_PREFIX = DE_IDENTIFICATION_DATE\"\s*:\s*\"

not TIMESTAMP_FIELDS=DE_IDENTIFICATION_DATE

timestamp field to be configured with json field data

JSON

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

timestamp field to be configured with json field data

JSON

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!