Splunk Search

How to edit our props.conf to assign a time field in our sample JSON event as the event timestamp?

dhavamanis
Builder

Can you please tell us how to assign event log time (ALERT_TIMESTAMP fields value ) as the event timestamp (_time)? Seems the below props.conf entry is not working properly. Please review and provide a working sourcetype configuration for extracting fields and assigning timestamp from event data.

props.conf:

[vops_json]
INDEXED_EXTRACTIONS = json
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = ALERT_TIMESTAMP
TIME_FORMAT = %s
KV_MODE = json
SHOULD_LINEMERGE = True
TRUNCATE = 0
category = Custom
description = JavaScript Object Notation format. For more information, visit http://json.org/
disabled = false
pulldown_type = true

Sample Event:

{
"ALERT_SERVICESTATE": "OK",
"ALERT_VO_RECIEVE_TIME": "1469712777061",
"ALERT_URL": "http://test.url.com/test",
"ALERT_ENTITY_DISPLAY_NAME": "test entity",
"ALERT_ENTITY_STATE": "OK",
"ALERT_MESSAGE_TYPE": "RECOVERY",
"ALERT_MONITOR_NAME": "",
"ALERT_MONITORING_URL": "NAGIOS",
"ALERT_ROUTING_KEY": "admins_support",
"ALERT_TIMESTAMP": "1469712369000",
"ALERT_ENTITY_TYPE": "SERVICE",
"STATE_ACK_MESSAGE": "",
"STATE_ACK_TIMESTAMP": "1469712775000",
"STATE_ACK_USER": "test_coca",
"STATE_ALERT_COUNT": "2",
"STATE_CURRENT_ALERT_PHASE": "ACKED",
"STATE_CURRENT_STATE": "WARNING",
"STATE_ENTITY_ID": "nagios-publisher\/ec2-52-90-166-168.compute-1.amazonaws.com\/Memory",
"STATE_HOST": "ec2-52-90-166-168.compute-1.amazonaws.com",
"STATE_INCIDENT_NAME": "9106",
"STATE_INCIDENT_TIMESTAMP": "1469712369000",
"STATE_LAST_TIMESTAMP": "1469712369000",
"STATE_MONITOR_TYPE": "NAGIOS",
"STATE_SERVICE": "nbcdevfiles-4a23d9b2  \/ Memory"
}
0 Karma

rarsan_splunk
Splunk Employee
Splunk Employee

The timestamp appears to be in milliseconds, so try the following TIME_FORMAT:

INDEXED_EXTRACTIONS = json
TIMESTAMP_FIELDS = ALERT_TIMESTAMP
TIME_FORMAT=%s%3N
0 Karma

twinspop
Influencer

Maybe try TIME_PREFIX as an alternate method?

[vops_json]
TIME_PREFIX = "ALERT_TIMESTAMP": "
TIME_FORMAT = %s
<the rest of your configs>
0 Karma

somesoni2
Revered Legend

Give this a try

[vops_json]
INDEXED_EXTRACTIONS = json
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = ALERT_TIMESTAMP
TIME_PREFIX = ALERT_TIMESTAMP\"\:\s+\"
TIME_FORMAT = %s
KV_MODE = json
SHOULD_LINEMERGE = True
TRUNCATE = 0
category = Custom
description = JavaScript Object Notation format. For more information, visit http://json.org/
disabled = false
pulldown_type = true
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...