Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

props.conf timestamp clarification

wwhite12
Path Finder
‎05-07-2020 08:53 AM

I have json data that can vary greatly in size with the timestamp field coming at the end of each event. I'm able to parse all the timestamps correctly using the config TIME_PREFIX="timestamp":+ except for the events that are very large. My question is, in order to parse the timestamp for the very large events, do I need to add a MAX_TIMESTAMP_LOOKAHEAD? Or if I added a larger TRUNCATE would the TIME_PREFIX config still need the MAX_TIMESTAMP_LOOKAHEAD?

props.conf
[mysourcetype]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=json
KV_MODE=none
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
category=Structured
description=JavaScript Object Notation format. For more information, visit http://json.org/
disabled=false
pulldown_type=true
TIME_PREFIX="timestamp":+

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-07-2020 10:07 AM

The MAX_TIMESTAMP_LOOKAHEAD settings starts at TIME_PREFIX so changing it won't help. It's likely you're running into your TRUNCATE limit. Try increasing that after you make sure events are breaking correctly.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

shivanshu1593
Builder
‎05-07-2020 10:16 AM

As @richgalloway rightly pointed, you should look into increasing the value of TRUNCATE (Defaults to 10,000). Splunk logs it's complain regarding the truncate issues in splunkd.log inside $SPLUNK_HOME/var/log/splunk. You can check it, to make sure you're facing the same issue.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-07-2020 10:07 AM

The MAX_TIMESTAMP_LOOKAHEAD settings starts at TIME_PREFIX so changing it won't help. It's likely you're running into your TRUNCATE limit. Try increasing that after you make sure events are breaking correctly.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...