All,
I have the following little JSON dump which works perfectly out of the box. But for best practices I was writing out my entire props.conf.
[root@SERVER bin]# ./callstatus.sh
{
"current": {
"health": 1,
"subject": "Facebook Platform is Healthy"
},
"push": {
"status": "Complete",
"updated": "2016-07-05T15:58:37-07:00",
"id": 61595219
}
When I set this, it works fine.
[facebook:curl:status]
# Index time extractions
KV_MODE=json
But once I add the CURRENT to the time the event gets weirdly line broken.
[facebook:curl:status]
# Index time extractions
KV_MODE=json
DATETIME_CONFIG=CURRENT
Any ideas why DATETIME_CONFIG=CURRENT
is breaking it?
This is documented:
http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Configuretimestamprecognition
Note: Both CURRENT and NONE explicitly disable timestamp identification, so the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely not to work as desired.
When using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* , MUST_BREAK_* settings to control event merging.
This is documented:
http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Configuretimestamprecognition
Note: Both CURRENT and NONE explicitly disable timestamp identification, so the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely not to work as desired.
When using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* , MUST_BREAK_* settings to control event merging.