timestamp field to be configured with json field ...

hashsplunk · ‎02-24-2021

data: { [-]
     DESC: Documentation for subsetted study data for iDAP Request INT-20200527-421
     DE_IDENTIFICATION_DATE: 2020-07-16
     EXCLUDED_COUNTRIES: null
     ID: 4849
     IS_OBSOLETE: false
     LOCATION: root/data_reuse/d848/d8480c00051/ar/shared/adam/doc/idap_20200716
     REMOVED_DUE_TO_COUNTRY_REMOVAL: null
     REPORTING_LOCATION_ID: 18495
     REUSE_LOCATION_CATEGORY_ID: 2
     REUSE_LOCATION_DATA_CATEGORIES: [ [+]
     ]}

I want the timestamp field to be data.DE_IDENTIFICATION_DATE to set in props.conf

INDEXED_EXTRACTIONS = JSON
TIMESTAMP_FIELDS = date
TIME_FORMAT = %Y%m%d
TZ = UTC
detect_trailing_nulls = auto
SHOULD_LINEMERGE = false
description = My source type
pulldown_type = true
disabled = false
KV_MODE = none
AUTO_KV_JSON = false
TIMESTAMP_FIELDS=DE_IDENTIFICATION_DATE

I have given above settings in my props.conf . Please suggest the write way of mentioning the json data value

to4kawa · ‎03-01-2021

TIME_PREFIX = DE_IDENTIFICATION_DATE\"\s*:\s*\"

not TIMESTAMP_FIELDS=DE_IDENTIFICATION_DATE

timestamp field to be configured with json field data

JSON

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation