Hi all,
I use following simple props.conf to some json type events:
[my:sourcetype] category = Structured DATETIME_CONFIG = LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true CHARSET=UTF-8 INDEXED_EXTRACTIONS=json TIME_FORMAT=%s disabled=false pulldown_type=true SHOULD_LINEMERGE=false TIMESTAMP_FIELDS=timestamp
The event looks like following:
{"access_device": {"browser": "Edge Chromium", "browser_version": "108.0.1462.54", "epkey": null, "flash_version": "uninstalled", "hostname": null, "ip": "192.168.182.230", "is_encryption_enabled": "unknown", "is_firewall_enabled": "unknown", "is_password_set": "unknown", "java_version": "uninstalled", "location": {"city": "Bestine", "country": "Tatooine", "state": "Central and Western District"}, "os": "Windows", "os_version": "10"}, "adaptive_trust_assessments": {}, "alias": "unknown", "application": {"key": "ABCDEFG1234567", "name": "[UAT] Hello World App"}, "auth_device": {"ip": null, "key": null, "location": {"city": null, "country": null, "state": null}, "name": null}, "email": null, "event_type": "authentication", "factor": "not_available", "isotimestamp": "2022-12-20T09:14:08.755759+00:00", "ood_software": null, "reason": "allow_unenrolled_user", "result": "success", "timestamp": 1671527648, "txid": "c571233d-b357-3f07-e126-ca2623b8e0d9", "user": {"groups": [], "key": null, "name": "luke"}, "eventtype": "authentication", "host": "jedi1.mydomain.com"}
It works when i test it through upload log file by setting sourcetype to my:sourcetype. Fields and timestamp can be extracted.
However, when events are being fed from UF, the timestamp can't be extracted and using the file modified time as timestamp instead.
Tried to add 'TIME_PREFIX=timestamp": ' but didn't help.
Would anyone please help?
Thanks and Regards
... View more