Hi
Until now, I had comma separated text inputs from many of my sources. Using props.conf, I could define the timestamp (e.g. which position and look ahead etc).
However, I anticipate JSON data inputs very shortly. I'm not sure what would be the steps/process to be able to specify timestamp (i.e. which time component to use for associating with searches)
Any pointers would be greatly appreciated
thanks, ronak
@ronak you can use INDEXED_EXTRACTIONS = JSON for accomplishing this
INDEXED_EXTRACTIONS = < CSV|W3C|TSV|PSV|JSON >
* Tells Splunk the type of file and the extraction and/or parsing method Splunk should use
on the file.
CSV - Comma separated value format
TSV - Tab-separated value format
PSV - pipe "|" separated value format
W3C - W3C Extended Extended Log File Format
JSON - JavaScript Object Notation format
* These settings default the values of the remaining settings to the
appropriate values for these known formats.
* Defaults to unset.
in props.conf on the UF set in $SPLUNK_HOME/etc/system/local/props.conf:
[your_sourcetype]
INDEXED_EXTRACTIONS = JSON
KV_MODE = none
restart splunk
$SPLUNK_HOME/bin
./splunk restart
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Extractfieldsfromfileheadersatindextime
Shouldn't be any different. Regex is still regex.
Unless your new inputs are multiple lines per event. Then you might have to do some work to combine them into a single event, but even then, you should still be able to regex your timestamp out.