Below is my event :
[ [-]
{ [-]
created_at: 2019-08-28T13:48:48.722Z
credibility_score: -5
email: swathi.nandigam@xx.ae
id: 625
last_reported_at: 2019-08-28T13:52:48.000Z
reports_count: 1
updated_at: 2019-08-28T13:48:51.519Z
vip: false
}
{ [-]
created_at: 2019-08-28T04:46:22.106Z
credibility_score: 0
email: richard.talian@xx.ae
id: 624
last_reported_at: 2019-08-28T04:48:36.000Z
reports_count: 1
updated_at: 2019-08-28T04:46:24.169Z
vip: false
}
{ [-]
created_at: 2019-08-25T03:50:59.412Z
credibility_score: -5
email: muhammad.irfan@xx.ae
id: 623
last_reported_at: 2019-08-26T15:14:33.000Z
reports_count: 2
updated_at: 2019-08-26T15:10:40.260Z
vip: false
}
}
i want to break every single event , taking timestamp of my last_reported_at field .
Below is my props.conf
[xxx]
SHOULD_LINEMERGE = false
category = Splunk App Add-on Builder
pulldown_type = 1
KV_MODE = json
NO_BINARY_CHECK = true
TRUNCATE = 0
TIME_PREFIX = "last_reported_at":"
Please correct whats wrong with my props.conf
↧