I have a JSON that is for emails like the following:
{ [-]
computer: { [+]
}
date: 2018-03-08T11:42:57+00:00
event_type_id: 553648152
timestamp: 1520509377
timestamp_nanoseconds: 893334279
}
Note: the time above is in UTC.
However, my time is set to PST and so it looks like I'm getting the index time, timestamp of **"11/14/17 6:50:49.000 PM"**
This is what's in my props.conf:
[cisco:amp:json]
SHOULD_LINEMERGE = true
pulldown_type = 1
category = Splunk App Add-on Builder
LINE_BREAKER = ([\r\n]*)\{\"event_type\"\:
TIME_PREFIX = timestamp:\s*
TIME_FORMAT = %s
KV_MODE = json
TRANSFORMS-amp_hostname = force_amp_hostname
EXTRACT-amp_hostname = \"hostname\"\:\s*\"(?[^\"]*)
EXTRACT-amp_file_name = \"file_name\"\:\s*\"(?[^\"]*)
EXTRACT-amp_file_path = \"file_path\"\:\s*\"(?[^\"]*)
EXTRACT-amp_user = \"user\"\:\s?\"(?[^\"]+)
EVAL-signature =
EVAL-action =
EVAL-file_hash =
BREAK_ONLY_BEFORE = ([\r\n]*)\{\"event_type\"\:
DATETIME_CONFIG =
NO_BINARY_CHECK = true
disabled = false
INDEXED_EXTRACTIONS = json
↧