Hi,
Super straightforward question: how do I select a JSON field for Splunk to use to set _time
?
I have a working REST API add-on built using Splunk AoB. The I need to use one of the fields from the JSON response called "updated" i.e. {... "updated": "2019-12-10T00:00:00.000+08:00" ...}
I can't seem to find any option in the wizard to do that.
I tried manipulating the props.conf
generated by the AoB, particularly adding the params TIME_PREFIX
and MAX_TIMESTAMP_LOOKAHEAD
, but it did not work. For sanity check, I ingested the same JSON via oneshot
with a manual props.conf
to check if my TIME_PREFIX
regex works. It does.
Thanks in advance.
Figured out my mistake in TIME_PREFIX
in props.conf
Where I went wrong was with the regex. Apparently, AoB is prettifying the JSON response from REST where when you use cURL, the JSON returned is ugly so my regex worked with the pattern updated\"\:\"
I changed the pattern to updated\"\:\s\"
and it now gets that field "updated" to set _time
Figured out my mistake in TIME_PREFIX
in props.conf
Where I went wrong was with the regex. Apparently, AoB is prettifying the JSON response from REST where when you use cURL, the JSON returned is ugly so my regex worked with the pattern updated\"\:\"
I changed the pattern to updated\"\:\s\"
and it now gets that field "updated" to set _time