Setup Splunk monitoring to watch a directory. Files started coming in but with the timestamp not being parsed correctly. I adjusted by Settings > Data > Source Type then I cloned the default json and clicked Advanced and set the timestamp to this `%d-%m-%Y%H:%M:%S` for the field systemTime. (I even tried adding surrounding quotes at one point)
Example dataset:
[{
"systemTime" : "22-01-2019_15:05:01",
"fieldType" : "XXX-XXX",
"fieldLocation" : "XXX1",
"fieldCommand" : "XXXXXX",
"kernalName" : "Linux",
"nodeName" : "x86_64",
"kernalRelease" : "4.15.0-43-generic",
"kernalVersion" : "#46~16.04.1-Ubuntu SMP Fri Dec 7 13:31:08 UTC 2018",
"machine" : "x86_64",
"processor" : "x86_64",
"hardwarePlatform" : "x86_64",
"operatingSystem" : "GNU/Linux",
"timeup" : " 15:05:01 up 8 days, 4:48, 2 users, load average: 0.35, 0.40, 0.31",
"soft1Version" : "XXXXX",
"soft2Version" : "XXXXXXXX"
}]
I noticed the files stopped coming in so I checked index=_internal source=*/splunkd.log OR source=*\\splunkd.log | search *system* log_level=ERROR and found errors like ERROR JsonLineBreaker - JSON StreamId:3524616290329204733 had parsing error:Unexpected character while looking for value: '\\' .
Despite the files not being ingested, when I go to Settings > Data Inputs > Files & Directories the file count for that directory continues to rise.
It seems to be that if I remove the timestamp part, the file does get correctly processed but _time becomes 1979...
... View more