- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Timestamp preview different than timestamp in ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
here is my props.conf
[json_no_timestamp_new]
INDEXED_EXTRACTIONS = json
KV_MODE = json
TIMESTAMP_FIELDS = timestamp
TIME_FORMAT = %s%3N
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 512
description = JavaScript Object Notation
category = Structured
disabled = false
pulldown_type = true
I tried to attached the preview from splunk and data coming from splunk forwarder but I am not able to do so...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[json_timestamp]
INDEXED_EXTRACTIONS = json
TIME_FORMAT = %s%3N
TIMESTAMP_FIELDS = timestamp
TIME_PREFIX = timestamp
SHOULD_LINEMERGE = false
description = JavaScript Object Notation
category = Structured
disabled = false
pulldown_type = true
This is the props that worked out for me finally if anyone is interested in the future. TIMESTAMP_FIELDS didn't unfortunately work with the forwarder (although it worked in the data preview)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[json_timestamp]
INDEXED_EXTRACTIONS = json
TIME_FORMAT = %s%3N
TIMESTAMP_FIELDS = timestamp
TIME_PREFIX = timestamp
SHOULD_LINEMERGE = false
description = JavaScript Object Notation
category = Structured
disabled = false
pulldown_type = true
This is the props that worked out for me finally if anyone is interested in the future. TIMESTAMP_FIELDS didn't unfortunately work with the forwarder (although it worked in the data preview)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The event starts with {"building":
Sample event below
{"building": false, "changeSet": {"items": [], "kind": null}, "builtOn": "rhel6", "description": null, "artifacts": [], "timestamp": 1430241584496, "number": 13, "actions": [{"causes": [{"upstreamBuild": 14, "shortDescription": "Started by upstream project \"answers\" build number 14", "upstreamProject": "answers", "upstreamUrl": "job/answers/"}]}, {}, {}, {}, {}, {"highlightsData": "[{\"Previous Job\":\"answers#14\"},{\"Previous Job\":\"answers_se\"},{\"Build host\":\"rhel6\"}]", "highlightsTable": "<h4>Global Patterns</h4><b>Previous Job:</b><b>Started by <a href="/hudson/job/answers/14/">answers</a></b><b>Previous Job:</b><b>Started by <a href="/hudson/job/answers/8/">answers #8</a></b><b>Build host:</b><b>Built on <a href="/hudson/computer/rhel6/">rhel6</a></b>"}], "id": "2015-04-28_17-19-44", "keepLog": false, "url": "http://thefactory.xyz.com:9999/jenkins/job/answers/13/", "culprits": [], "result": "SUCCESS", "executor": null, "duration": 377658, "fullDisplayName": "answers", "estimatedDuration": 298415}
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
Splunk APM: New Product Features + Community Office Hours Recap!
Index This | Forward, I’m heavy; backward, I’m not. What am I?
