Getting Data In

I have a JSON file with two timestamps. How do I edit props.conf to extract the second timestamp?

anilchaithu
Builder

I have a JSON file with two timestamps. I would like to extract the second timestamp (highlighted in bold). I have tried props.conf configuration file in indexer as given below

props.conf

KV_MODE=none
TIME_PREFIX = 
MAX_TIMESTAMP_LOOKAHEAD=100

sample file

[
{
"ApproximateArrivalTimestamp": "2016-11-01 13:43:29.857000+00:00",
"Data": "{\"id\":\"9598390425884735158\",\"packetType\":\"sSns\",\"projectId\":845,\"adapterId\":\"1087\",\"time\":30095764,\"gid\":\"01:d8:95:24:ef:56:aa\",\"version\":\"1\",\"timestamp\":\"2016-11-07T13:43:29.316Z\",\"adapterType\":\"Blufi\",\"battery\":3630,\"temp\":25.0,\"eventCounter\":[3864,2797,237,2263,0,0],\"xAccel\":-0.95703125,\"yAccel\":0.08203125,\"zAccel\":0.046875}",
"PartitionKey": "p:845:b:1087",
"SequenceNumber": "49560220030257590074301033785634074783409781971940802562"
}
]

0 Karma

gokadroid
Motivator

If you have that many \ in the data to escape the " then you can try putting following in TIME_PREFIX which should point it to the appropriate string you are interested in.

TIME_PREFIX = \\\"timestamp\\\":\\\"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...