Solved: Can you tell me what I am doing wrong with my prop...

daniel333 · ‎07-06-2016

All,

I have the following little JSON dump which works perfectly out of the box. But for best practices I was writing out my entire props.conf.

[root@SERVER bin]# ./callstatus.sh 
{
   "current": {
      "health": 1,
      "subject": "Facebook Platform is Healthy"
   },
   "push": {
      "status": "Complete",
      "updated": "2016-07-05T15:58:37-07:00",
      "id": 61595219
   }

When I set this, it works fine.

[facebook:curl:status]
# Index time extractions
KV_MODE=json

But once I add the CURRENT to the time the event gets weirdly line broken.

[facebook:curl:status]
# Index time extractions
KV_MODE=json
DATETIME_CONFIG=CURRENT

Any ideas why DATETIME_CONFIG=CURRENT is breaking it?

woodcock · ‎07-06-2016

This is documented:

http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Configuretimestamprecognition

Note: Both CURRENT and NONE explicitly disable timestamp identification, so the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely not to work as desired.
When using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* , MUST_BREAK_* settings to control event merging.

View solution in original post

woodcock · ‎07-06-2016

This is documented:

http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Configuretimestamprecognition

Note: Both CURRENT and NONE explicitly disable timestamp identification, so the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely not to work as desired.
When using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* , MUST_BREAK_* settings to control event merging.

Can you tell me what I am doing wrong with my props.conf for this JSON file?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!