We have updated our Terms of Service, Code of Conduct, and Addendum.

Identifying a timestamp inside of JSON

Options
Shawn Cannon
Shawn Cannon Posts: 130 ✭✭
in General Discussions

I have a timestamp field inside JSON in the format "2023 April 18 15:00:00 UTC". I cannot get Stream to recognize it. It keeps using current time. Any ideas?

Answers

  • Brendan Dalpe
    Brendan Dalpe Posts: 201 mod
    Options

    What's your event breaker configured as?

  • Shawn Cannon
    Shawn Cannon Posts: 130 ✭✭
    Options

    unfortunately that event comes in via syslog (I know, stupid but that is how it comes in) so no event breaker

  • David Maislin
    David Maislin Posts: 228 mod
    Options

    `%Y %B %d %H:%M:%S`?

  • David Maislin
    David Maislin Posts: 228 mod
    Options

    https://github.com/d3/d3-time-format#api-reference

  • Shawn Cannon
    Shawn Cannon Posts: 130 ✭✭
    Options

    i have tried a time format as well to no avail. I was thinking the UTC at the end was doing it. I will keep trying stuff.

  • Shawn Cannon
    Shawn Cannon Posts: 130 ✭✭
    Options

    its weird as I have the event in JSON format and I can see the field _raw.Alert.timestamp. I try to apply that field as my auto timestamp and it does not use it. just a strange one.

  • David Maislin
    David Maislin Posts: 228 mod
    Options

    That timestamp format I used works for me.

  • Shawn Cannon
    Shawn Cannon Posts: 130 ✭✭
    Options

    yeah i dont know whats up

  • Paul Dott
    Paul Dott Posts: 33 ✭✭
    Options

    Have you tried Auto Timestamp + setting an Additional Timestamp regex? I had to use this method for something that I think should worked out-the-box with the AWS event breaker ruleset.

  • Shawn Cannon
    Shawn Cannon Posts: 130 ✭✭
    Options

    I did try that and it still did not work.

  • Paul Dott
    Paul Dott Posts: 33 ✭✭
    Options

    Maybe the timestamp is quite ahead in the event, in the auto time stamp function, under advanced you can increase this setting to make it look further

  • David Maislin
    David Maislin Posts: 228 mod
    Options

    It was basically this Eval Function that fixed the issue with time:

  • David Maislin
    David Maislin Posts: 228 mod
    Options

    ```_raw = JSON.parse(_raw) _time = +C.Time.strftime(C.Time.strptime(_raw.Alert.timestamp,'%Y %B %d %H:%M:%S'),'%s')```

  • David Maislin
    David Maislin Posts: 228 mod
    Options

    You have to first parse the JSON string into an Object, then you can refer to the exact fieldname `_raw.Alert.timestamp` and pull out the time based on the format of the timestamp.

  • Shawn Cannon
    Shawn Cannon Posts: 130 ✭✭
    Options

    Thanks for posting, got busy and forgot.

  • David Maislin
    David Maislin Posts: 228 mod
    Options

    IN & OUT

  • David Maislin
    David Maislin Posts: 228 mod
    Options

    Thanks for providing clean data so I can share the summary easier :slightly_smiling_face:

  • Shawn Cannon
    Shawn Cannon Posts: 130 ✭✭
    Options

    Always happy to help

  • David Maislin
    David Maislin Posts: 228 mod
    Options

    Same expression can also be used in AutoTimeStamp but you have to know the length of the event to know how raw to look. Funny I started with 500 with the Start Scan Offset as a guess to the length of the event and it was 716. It didn't look that big to my eyes honestly. Start Scan Offset

  • Shawn Cannon
    Shawn Cannon Posts: 130 ✭✭
    Options

    Nice

  • David Maislin
    David Maislin Posts: 228 mod
    Options

    You can also adjust the Max Timestamp Scan Depth too!

  • David Maislin
    David Maislin Posts: 228 mod
    Options

    But now you see why I like to convert to an object because I don't always wanna guess the event length as the timestamp can be anywhere in the event in some cases.

Categories