I have a JSON log file that I'm attempting to ingest (Splunk v6.6.5). The events parse correctly, but the epoch time isn't being used as the event timestamp. Splunk is using the file modified date for the event timestamp.
Here's a sample record and my props config (which lives on the Indexers):
{"time":1531405028,"name":"PSIKD01.BOOT","appl":"@ABCVDIF","server":"SERVER1","user":"LSRVID","HandleCount":792,"KernelModeTime":66875000,"OtherOperationCount":18498,"OtherTransferCount":630163,"PageFaults":320216,"PageFileUsage":1349924,"PrivatePageCount":1382322176,"ReadOperationCount":36716,"ReadTransferCount":38844376,"ThreadCount":34,"UserModeTime":363281250,"VirtualSize":2207380942848,"WorkingSetSize":672907264,"WriteOperationCount":205,"WriteTransferCount":63855}
[apm_json]
KV_MODE = none
INDEXED_EXTRACTIONS = json
TIME_PREFIX = "time":
TIME_FORMAT = %s
SHOULD_LINEMERGE = false
TRUNCATE = 100000
Any help would be appreciated. Thanks!
Everything looks good in the config. Have you looked to see if there is anything overriding that configuration that might be causing the date parsing problem? Use btool
to see what Splunk is actually seeing as the configs:
splunk btool props list --debug | less
Then search for apm_json
and see if the configs for that sourcetype match the above configs.
I had run btool on props previously. I confirmed my sourcetype is active.