Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Onboarding json data - please help

rwrettig
New Member
‎04-28-2019 01:01 AM

In a testing environment and can't get ride of this annoying triangle (Failed to parse timestamp. Defaulting to file modtime).

Here is a copy of my data:

{
"Phone_Number": "315-788-5129 x1967",
"First_Name": "Alvera",
"Last_Name": "Beier",
"User_Id": 0,
"Country": "Bahamas",
"ZipCode": "75876",
"Full_Name": "Hans Volkman",
"IP": "191.223.4.118",
"Date": "1997-06-14T02:06:55.205Z",
"Domain": "jevon.us",
"Email": "Rosemarie@kristian.ca"
}

And here is a copy of my last props.conf

description=JavaScript Object Notation format. For more information, visit http://json.org/
disabled=false
pulldown_type=true
LINE_BREAKER=([\r\n]+)
TIME_FORMAT=strptime(%Y-%m-%dT%H:%M:%S.%3QZ)
TIMESTAMP_FIELDS=field10
TIME_PREFIX="DATE" : \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z
TRUNCATE=999999

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-28-2019 06:19 AM

You appear to be working with a few misconceptions.

TIME_FORMAT is just a format string. Functions are not processed, but are considered part of the time string.
TIME_PREFIX should be the text that comes before the timestamp. It is also a literal string.
TIMESTAMP_FIELDS doesn't apply since you are not using INDEXED_EXTRACTIONS.

Try these settings:

description=JavaScript Object Notation format. For more information, visit http://json.org/
disabled=false
pulldown_type=true
LINE_BREAKER=([\r\n]+)
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3NZ
TIME_PREFIX="DATE" : "
TRUNCATE=999999
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...