We are trying parse a Json file for indexing. While parsing we have two events in the json file mentioned below
[
{
"timestamp": "2014-04-07 00:00:36.297",
"source": "HOST",
"sourcetype": "Windows",
"host": "10.10.10.10",
"hardwareRevision": "0200"
},
{
"timestamp": "2014-04-07 00:00:36.297",
"source": "HOST",
"sourcetype": "LINUX",
"host": "10.10.10.20",
"hardwareRevision": "NA"
}
]
I am declaring the following params in props.conf
KV_MODE=json
NO_BINARY_CHECK=1
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N
But indexer recognizes only one event instead of two. It doesn't recognizes second time stamp. I don't see any examples of props.conf for Json on the internet. Is there is any samples of props.conf how it should look like for the Json file.
Thanks in advance.
... View more