Trouble extracting time in JSON

ericlarsen · ‎07-17-2018

I have a JSON log file that I'm attempting to ingest (Splunk v6.6.5). The events parse correctly, but the epoch time isn't being used as the event timestamp. Splunk is using the file modified date for the event timestamp.

Here's a sample record and my props config (which lives on the Indexers):

{"time":1531405028,"name":"PSIKD01.BOOT","appl":"@ABCVDIF","server":"SERVER1","user":"LSRVID","HandleCount":792,"KernelModeTime":66875000,"OtherOperationCount":18498,"OtherTransferCount":630163,"PageFaults":320216,"PageFileUsage":1349924,"PrivatePageCount":1382322176,"ReadOperationCount":36716,"ReadTransferCount":38844376,"ThreadCount":34,"UserModeTime":363281250,"VirtualSize":2207380942848,"WorkingSetSize":672907264,"WriteOperationCount":205,"WriteTransferCount":63855}

[apm_json]
KV_MODE = none
INDEXED_EXTRACTIONS = json
TIME_PREFIX = "time":
TIME_FORMAT = %s
SHOULD_LINEMERGE = false
TRUNCATE = 100000

Any help would be appreciated. Thanks!

cpetterborg · ‎07-17-2018

Everything looks good in the config. Have you looked to see if there is anything overriding that configuration that might be causing the date parsing problem? Use btool to see what Splunk is actually seeing as the configs:

splunk btool props list --debug | less

Then search for apm_json and see if the configs for that sourcetype match the above configs.

ericlarsen · ‎07-17-2018

I had run btool on props previously. I confirmed my sourcetype is active.

Trouble extracting time in JSON

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!