Sample single event:
[{"a":"057.00E09037A","b":"cdw","c":"1.2.7.7","d":"192.168.1.0","date":"2015-12-14T23:25:24.539Z"}, {"a":"057.00E09037A","b":"cdw","c":"1.2.7.7","d":"192.168.1.0","date":"2015-12-14T23:25:24.542Z"},
{"a":"057.00E09037A","b":"cdw","c":"1.2.7.7","d":"192.168.1.0","date":"2015-12-14T23:25:24.545Z"}]
Please note the above event is an array with elements as JSON's with different timestamps.
Is there an efficient configuration for props.conf to parse the above into 3 different events with their unique timestamps?
This will already result in three indexed events with the standard "_json" sourcetype. You can just copy those settings and create your own sourcetype.
This will already result in three indexed events with the standard "_json" sourcetype. You can just copy those settings and create your own sourcetype.
LINE_BREAKER = (\x04)
NO_BINARY_CHECK = 0
SHOULD_LINEMERGE = false
pulldown_type = 1
TIME_PREFIX=\,\"date\":\"
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%Z
TZ=UTC
MAX_TIMESTAMP_LOOKAHEAD=300
INDEXED_EXTRACTIONS = JSON
But still its taking the array of JSON's as one event
Your JSON data has standard xsd:dateTime timestamps, which Splunk will recognize automatically; and you only have one timestamp in there. So I would just get rid of TIME_PREFIX, TIME_FORMAT and TZ.
I would also remove the LINE_BREAKER and let Splunk figure that out based on the JSON structure we understand.
Note that INDEXED_EXTRACTIONS needs to be configured on the source system, where the logs are picked up (a Universal Forwarder, in most cases).
thanks for the update. I used the above props.conf without the line breaker and it worked well. Thanks again for your help.