All Apps and Add-ons

Splunk AoB : How to select a specific JSON field to set _time

morethanyell
Builder

Hi,

Super straightforward question: how do I select a JSON field for Splunk to use to set _time?

I have a working REST API add-on built using Splunk AoB. The I need to use one of the fields from the JSON response called "updated" i.e. {... "updated": "2019-12-10T00:00:00.000+08:00" ...} I can't seem to find any option in the wizard to do that.

I tried manipulating the props.confgenerated by the AoB, particularly adding the params TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD, but it did not work. For sanity check, I ingested the same JSON via oneshot with a manual props.conf to check if my TIME_PREFIX regex works. It does.

Thanks in advance.

0 Karma
1 Solution

morethanyell
Builder

Figured out my mistake in TIME_PREFIX in props.conf

Where I went wrong was with the regex. Apparently, AoB is prettifying the JSON response from REST where when you use cURL, the JSON returned is ugly so my regex worked with the pattern updated\"\:\"

I changed the pattern to updated\"\:\s\" and it now gets that field "updated" to set _time

View solution in original post

morethanyell
Builder

Figured out my mistake in TIME_PREFIX in props.conf

Where I went wrong was with the regex. Apparently, AoB is prettifying the JSON response from REST where when you use cURL, the JSON returned is ugly so my regex worked with the pattern updated\"\:\"

I changed the pattern to updated\"\:\s\" and it now gets that field "updated" to set _time

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...