Getting Data In

How do I extract event timestamp from json log file at index time?

aenache
Engager

I'm trying to extract timestamps for log events that I am forwarding to Splunk as json log files, and instead of getting the date correctly from inside the json, Splunk seems to get the timestamp from the log file's Date Modified. (that's the only datetime that matches, isn't that weird?)

The json is properly formatted and validated, and is serialised to string using the Json.NET JsonConvert, so my json around the datetime looks like this:

"Request": {
  "TimestampUtc": "2015-11-09T14:33:53.3239117Z",
  "Headers": {

I set sourcetype=_json for my UniversalForwarder in the inputs.conf file for Splunk_TA_windows, monitoring a directory on my hard drive. Logfile names have the format service.log.json, and the TimestampUtc property is on the 10th line, about 140 characters in inside the object.

On the Splunk server, the default props.conf has

[_json]
pulldown_type = true
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false
category = Structured

and the local props.conf has

[_json]
INDEXED_EXTRACTIONS = json
pulldown_type = true
KV_MODE = none
AUTO_KV_JSON = false
#TIMESTAMP_FIELDS = TimestampUtc
TIME_PREFIX=/"TimestampUtc": "/
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%7N%Z
#TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD = 27
category = Structured

Can someone point me to the right configuration for this extraction? I have tried a multitude of combinations but without success.

0 Karma
1 Solution

aenache
Engager

Fixed! I needed to move the datetime property at the top level in the json object. Kept the same configuration settings.

View solution in original post

0 Karma

aenache
Engager

Fixed! I needed to move the datetime property at the top level in the json object. Kept the same configuration settings.

0 Karma

bharat1478
New Member

But it looks like your timestamp field was already at the top of the json object ?
"Request": {
"TimestampUtc": "2015-11-09T14:33:53.3239117Z",
"Headers": {

Where exactly did you move it to ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...