How to specify a specific field to use as time fie...

tdiestel · ‎05-20-2015

I need to know how to specify to Splunk to pick a particular field in the data as Time while indexing the data. My data is in Json and looks like this:

{"report_parameters":{"venue_id":"22","timezone":"UTC","start_date":"2015-05-18 05:10:00","end_date":"2015-05-18 05:19:59","report":"items","grouping":"product","sorting":"value","filter":false,"filter_id":false,"filter2":false,"filter_id2":false,"filter3":false,"filter_id3":false},"sales_summary":{"total_orders":"0","total_sales":null,"fees_collected":null,"total_tips":null,"tax_collected":null,"average_order_size":"0.00","total_items":"0"},"report_data":[]}

All the data is in UTC.
I want to use the start_date as the Time Column.

We are using the TCP port input to push data to an index.

If I need to make change in the props.conf file what would be change I would need to make.

woodcock · ‎08-06-2015

As @rphillips said, you can use a configuration like this:

props.conf

[yourSourcetypeHere]
INDEXED_EXTRACTIONS = JSON
TIMESTAMP_FIELDS = end_date, timezone

Then put this on your forwarders and restart the Splunk instances and it should work.
Yes, I deliberately used end_date instead of start_date. Trust me: this definitely is the correct choice. If you need me to explain why, I will.

rphillips_splk · ‎05-21-2015

@tdiestel You should try using INDEXED_EXTRACTIONS = JSON in props.conf of your forwarder.

see:
http://answers.splunk.com/answers/237933/how-to-configure-timestamp-recognition-for-json-da.html#ans...

How to specify a specific field to use as time field while indexing json data

props.conf

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio