Re: timestamp field to be configured with json fi...

hashsplunk · ‎02-24-2021

data: { [-]
     DESC: Documentation for subsetted study data for iDAP Request INT-20200527-421
     DE_IDENTIFICATION_DATE: 2020-07-16
     EXCLUDED_COUNTRIES: null
     ID: 4849
     IS_OBSOLETE: false
     LOCATION: root/data_reuse/d848/d8480c00051/ar/shared/adam/doc/idap_20200716
     REMOVED_DUE_TO_COUNTRY_REMOVAL: null
     REPORTING_LOCATION_ID: 18495
     REUSE_LOCATION_CATEGORY_ID: 2
     REUSE_LOCATION_DATA_CATEGORIES: [ [+]
     ]}

I want the timestamp field to be data.DE_IDENTIFICATION_DATE to set in props.conf

INDEXED_EXTRACTIONS = JSON
TIMESTAMP_FIELDS = date
TIME_FORMAT = %Y%m%d
TZ = UTC
detect_trailing_nulls = auto
SHOULD_LINEMERGE = false
description = My source type
pulldown_type = true
disabled = false
KV_MODE = none
AUTO_KV_JSON = false
TIMESTAMP_FIELDS=DE_IDENTIFICATION_DATE

I have given above settings in my props.conf . Please suggest the write way of mentioning the json data value

to4kawa · ‎03-01-2021

TIME_PREFIX = DE_IDENTIFICATION_DATE\"\s*:\s*\"

not TIMESTAMP_FIELDS=DE_IDENTIFICATION_DATE

timestamp field to be configured with json field data

JSON

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?