Hi, hello,
Splunk is not showing up miliseconds for JSON logs. I have find some Questions and Answers here in splunk community, but without success.
Description:
I have HFs, indexer cluster and search head cluster.
HF props.conf
[k8s:dev]
#temporary removed to fix 123123
#INDEXED_EXTRACTIONS = JSON
TIME_PREFIX = {\\"@timestamp\\":\\"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N
TRUNCATE = 200000
TRANSFORMS-discard_events = setnull_whitespace_indented,setnull_debug_logging
SEDCMD-RemoveLogProp = s/("log":)(.*)(?="stream":)//
HF transforms.conf
[setnull_java_stacktrace_starttab]
SOURCE_KEY = field:log
REGEX = ^\tat\s.*
DEST_KEY = queue
FORMAT = nullQueue
[setnull_whitespace_indented]
SOURCE_KEY = field:log
REGEX = ^\s+.*
DEST_KEY = queue
FORMAT = nullQueue
[setnull_debug_logging]
SOURCE_KEY = field:log
REGEX = .*?\sDEBUG\s
DEST_KEY = queue
FORMAT = nullQueue
Search props.conf
#workaround, see 123123
[k8s:dev]
KV_MODE = json
Everything looks fine in web ADD DATA in HF and SEARCH too.
But not when I search it.
I can insert only part of the JSON.
{"log":"{\"@timestamp\":\"2021-08-03T09:00:57.539+02:00\",\"@version\":\"1\",\"message\":
Also when I am in HF ADD DATA and I remove TIME_PREFIX and TIME_FORMAT the miliseconds still appear, but when I a little bit "destroy" TIME_PREFIX there is error and file timestamp is used(I think its file timestamp).
Question is:
1.what am I doing wrong?
2. Is it possible to configure TIME_PREFIX and TIME_FORMAT for KV_MODE on search? Because as I know they are used in HF during parsing.
3. Is it possible to configure KV_MODE?
Thank you very much for your suggestions.
Actually nothing works. What else I can try?
Also SEDCMD should not affect that as that is done after timestamp parsing.
Thank you!