Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

PROPS configuration for Source Data with Field Names and Values Stored in Text File

SplunkDash
Motivator
‎09-28-2021 09:12 AM

Hello,

I have some issues writing a PROPS configuration file for the following  source data stored in text file. I  also used TIMESTAMP_FIELDS= timeStamp there, to have field values under field names But, it's not working. My PROPS configuration and a sample event are given below.  Any help will be highly appreciated. Thank you so much. 

 

[ __auto__learned__ ]

SHOULD_LINEMERGE=false

LINE_BREAKER=([\r\n]+)

TIMESTAMP_FIELDS=timeStamp

TIME_PREFIX =^\{\"timeStamp\"\:\"

TIME_FORMAT=%Y-%m-%d %H:%M:%S

MAX_TIMESTAMP_LOOKAHEAD=29

 

{"timeStamp":"2021-06-21 14:53:56 EDT","appName":"OSD","userType":"FILTER","StatCd":null,"Amt":null,"errorMsg":"","eventId":"APP_ENTRY","eventType":"VIEW","fileSourceCd":null,"ipAddr":"11.212.41.151","mftCd":null,"outputCd":null,"planNum":null,"reasonCd":null,"returnCd":"00","sessionId":"XWGMwkncVD0m60OQBOahu8s/qG1c=","Period":null,"cat":"234207501","Type":null,"userId":"cdabea740a-g9a0-408f-a6a7-5ae70c689e6d","vsardata":{"uri":"/osd/rest/accountSummary","host":"appsa.rup.afsiep.net","ipAddress":"11.212.41.151","Id":"AXSabea753c-d9a0-408f-a6a7-5ae70c689e6d","requestId":"as58510cd-0459-614b7bc4-1afdd700-0bf875285d76","referer":https://saada.ruer.egsiep.net/osd/,"responseStatus":0}}

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-28-2021 05:30 PM

It would help if you explained what you mean by "it's not working".

The TIMESTAMP_FIELDS setting is for use with INDEXED_EXTRACTIONS.  Try these settings

[ __auto__learned__ ]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = \{"timeStamp":"
TIME_FORMAT = %Y-%m-%d %H:%M:%S %Z
MAX_TIMESTAMP_LOOKAHEAD = 29

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-28-2021 05:30 PM

It would help if you explained what you mean by "it's not working".

The TIMESTAMP_FIELDS setting is for use with INDEXED_EXTRACTIONS.  Try these settings

[ __auto__learned__ ]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = \{"timeStamp":"
TIME_FORMAT = %Y-%m-%d %H:%M:%S %Z
MAX_TIMESTAMP_LOOKAHEAD = 29

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...