Identifying a timestamp inside of JSON
I have a timestamp field inside JSON in the format "2023 April 18 15:00:00 UTC". I cannot get Stream to recognize it. It keeps using current time. Any ideas?
Answers
-
What's your event breaker configured as?
0 -
unfortunately that event comes in via syslog (I know, stupid but that is how it comes in) so no event breaker
0 -
`%Y %B %d %H:%M:%S`?
0 -
-
i have tried a time format as well to no avail. I was thinking the UTC at the end was doing it. I will keep trying stuff.
0 -
its weird as I have the event in JSON format and I can see the field _raw.Alert.timestamp. I try to apply that field as my auto timestamp and it does not use it. just a strange one.
0 -
That timestamp format I used works for me.
0 -
yeah i dont know whats up
0 -
Have you tried Auto Timestamp + setting an Additional Timestamp regex? I had to use this method for something that I think should worked out-the-box with the AWS event breaker ruleset.
0 -
I did try that and it still did not work.
0 -
Maybe the timestamp is quite ahead in the event, in the auto time stamp function, under advanced you can increase this setting to make it look further
0 -
It was basically this Eval Function that fixed the issue with time:
0 -
```_raw = JSON.parse(_raw) _time = +C.Time.strftime(C.Time.strptime(_raw.Alert.timestamp,'%Y %B %d %H:%M:%S'),'%s')```
0 -
You have to first parse the JSON string into an Object, then you can refer to the exact fieldname `_raw.Alert.timestamp` and pull out the time based on the format of the timestamp.
0 -
Thanks for posting, got busy and forgot.
0 -
IN & OUT
0 -
Thanks for providing clean data so I can share the summary easier :slightly_smiling_face:
0 -
Always happy to help
0 -
Same expression can also be used in AutoTimeStamp but you have to know the length of the event to know how raw to look. Funny I started with 500 with the Start Scan Offset as a guess to the length of the event and it was 716. It didn't look that big to my eyes honestly. Start Scan Offset
0 -
Nice
0 -
You can also adjust the Max Timestamp Scan Depth too!
0 -
But now you see why I like to convert to an object because I don't always wanna guess the event length as the timestamp can be anywhere in the event in some cases.
0
