×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
jchoksi
New Member
Member since: ‎02-05-2020
‎10-07-2021
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎02-05-2020
View All

Re: How to configure Splunk to use a specific JSON...

by in Getting Data In
‎02-06-2020 02:45 AM
‎02-06-2020 02:45 AM
Thanks for your response. I tried using the following: File: props.conf ---snip--- [google:gcp:pubsub:message] INDEXED_EXTRACTIONS = json KV_MODE = none NO_BINARY_CHECK = true SHOULD_LINEMERGE = false AUTO_KV_JSON = false TIMESTAMP_FIELDS = data.timestamp TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%9N%Z ---snip--- and found that Splunk's _time field was not being set to the value of the data.timestamp field. Maybe Splunk doesn't support nested JSON fields in TIMESTAMP_FIELDS ? Currently, I've configured the props.conf file to use: [google:gcp:pubsub:message] INDEXED_EXTRACTIONS = json KV_MODE = none NO_BINARY_CHECK = true SHOULD_LINEMERGE = false TIME_PREFIX = \"timestamp\": \" TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%9N%Z which correctly sets Splunk's _time field to the value of data.timestamp ... View more

How to configure Splunk to use a specific JSON fie...

by in Getting Data In
‎02-05-2020 12:55 PM
‎02-05-2020 12:55 PM
For the following example JSON message (formated to make it easier to read), how can I configure props.conf to inform Splunk that it should use data.timestamp for its event timestamp? { "publish_time": 1580824871.446, "data": { "textPayload": "DEBUG | 2020-02-04T14:01:05,760 | A very long string here...<snip>", "logName": "blah0", "receiveTimestamp": "2020-02-04T14:01:07.707699223Z", "labels": { "k8s-pod/version": "blah2", "k8s-pod/track": "blah3", "k8s-pod/app": "blah4", "k8s-pod/pod-template-hash": "blah5" }, "insertId": "blah6", "resource": { "type": "k8s_container", "labels": { "project_id": "blah7", "pod_name": "blah8", "cluster_name": "blah9", "location": "blah10", "container_name": "blah11", "namespace_name": "blah12" } }, "severity": "INFO", "timestamp": "2020-02-04T14:01:05.760888513Z" }, "attributes": { "logging.googleapis.com/timestamp": "2020-02-04T14:01:05.760888513Z" } } Would the following be correct & performant ? File: props.conf ---snip--- [google:gcp:pubsub:message] INDEXED_EXTRACTIONS = json KV_MODE = none NO_BINARY_CHECK = true SHOULD_LINEMERGE = false TIMESTAMP_FIELDS = data.timestamp TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%9N%Z ---snip--- ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-07-2021 09:09 AM