Setting a field in json as your _time field in Splunk

A problem I have been encountering is trying to set a date field within my json response file as the _time field in my Splunk data upon import. I have read lots of posts on it and found that less is more when it comes to accomplishing this. Adding the following stanza in a props.conf file in the /opt/splunkforwarder/etc/system/local folder accomplished this. As you can see by the path is is on the Splunk Univeral Forwarder.

The json file is created by a python script file that hits an API and returns the data (more on that later). The date field is the second date field in the json string. So Splunk was grabbing the first one and sometimes it was taking the file creation date and time.

After trying several different variations of the stanza the below code finally worked. I hope this helps you!

[source::/data/logs/prod.json]
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N
TIME_PREFIX="lastInformTime": "
MAX_TIMESTAMP_LOOKAHEAD = 24
MAX_DAYS_HENCE = 10

Here are some of the other answers I tried.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.