Re: define timestamp for json

kirrusk · ‎12-10-2020

Hi,

I have a simple json like below ,

{"env":"p1","label":"1788_kapi_fed","App":"admin-ipo-sel","lastUpdate":"2020-10-18 19:03:16.956","region":"ea"}{"env":"p1","label":"1788_kapi_fed","App":"admin-ipo-sel","lastUpdate":"2020-10-19 18:29:43.136","region":"ea"}{"env":"p2","label":"1788_kapi_fed","App":"admin-ipo-sel","lastUpdate":"2020-10-19 19:29:45.136","region":"ea"}

timestamp field - "lastUpdate":"2020-10-19 19:29:43.136"

trying to define timestamp in props file with below stanza but not working

INDEXED_EXTRACTIONS = json

KV_MODE = none

AUTO_KV_JSON = false

TIME_PREFIX = lastUpdate\":\" tried with this as well (TIME_PREFIX = "lastUpdate":")

TIME_FORMAT = %Y-%m-%d %H:%M:%S.%N

MAX_TIMESTAMP_LOOKHEAD = 23

No events are coming to splunk with above data.

only below one is working to push data to splunk , Can any please suggest whats going wrong here

INDEXED_EXTRACTIONS = json

KV_MODE = none

AUTO_KV_JSON = false

TZ = Asia/Singapore

to4kawa · ‎12-11-2020

sample:

| makeresults
| eval _raw="{\"env\":\"p1\",\"label\":\"1788_kapi_fed\",\"App\":\"admin-ipo-sel\",\"lastUpdate\":\"2020-10-18 19:03:16.956\",\"region\":\"ea\"}"
| rex "lastUpdate\":\"(?<time>\S+ \S+?)\""
| eval _time=strptime(time,"%F %T.%3N")

TIME_PREFIX = lastUpdate\":\"
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N

to4kawa · ‎12-11-2020

Is one event one line?

kirrusk · ‎12-11-2020

@to4kawa yes

define timestamp for json

field extraction

fields

metadata

search job inspector

stats

table

transaction

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor