-health_checkin_date: 2016-10-30T09:45:28.824Z
That is the line from a JSON event being sent into my Splunk instance via TCP syslog. It's being put into an index in an app I made, so I added the following the props.conf of that app:
[company_product]
TRUNCATE=0
TIME_PREFIX=\"-health_checkin_date\":\s
TIME_FORMAT=%Y-%m-%dT%T.%3N%Z
CHARSET=AUTO
KV_MODE=NONE
INDEXED_EXTRACTIONS=JSON
This stanza matches what is set in the TCP receiver as the custom sourcetype for this port, but the timestamp isn't being properly extracted. I'm intentionally prefixing the field with a hyphen so Splunk will find it quickly in the event. Am I editing the wrong props.conf?
↧
