https://community.splunk.com/t5/Getting-Data-In/JSON-timestamps-not-parsed-via-HTTP-Event-Collector/m-p/204690#M40394 <P>I switched to using the Splunk-provided generic_single_line source type, and that doesn't work either. I am testing by POSTing to the collector, which has no TIME_PREFIX, and only posting the timestamp itself. It appears that I can only set the time via the "time" property on the enclosing JSON itself as detailed here: <A href="http://dev.splunk.com/view/SP-CAAAE6P" target="_blank">http://dev.splunk.com/view/SP-CAAAE6P</A>. Is that true?</P> Tue, 29 Sep 2020 09:56:16 GMT bradserbuddy 2020-09-29T09:56:16Z https://community.splunk.com/t5/Getting-Data-In/JSON-timestamps-not-parsed-via-HTTP-Event-Collector/m-p/204689#M40393 <P>Here are some of the values I am using for my JSON source type:</P> <P>MAX_TIMESTAMP_LOOKAHEAD = 1000 (as we have long JSON input)<BR /> TIME_FORMAT = %FT%T.%3Q<BR /> TIME_PREFIX = Timestamp\"\s:\s\"</P> <P>I've successfully imported the JSON from a file with the above source type values, but, for some reason, when coming in through my HTTP Event Collector, the timestamp isn't picked up (that is, _time is not set to the timestamp).</P> <P>I've restarted the server, tried different values for TIME_PREFIX (for instance not encoding the quotes, and dropping the \s regex) and TIME_FORMAT (for instance %Y-%m-%dT%H:%M:%S), and removed the KV_MODE=json to no avail.</P> <P>Am I misunderstanding the relationship between timestamp parsing and _time? Is there something else I need to do to get my source type to work with my HTTP Event Collector? Are there additional troubleshooting steps/tools I can use to help track down what's going on?</P> <P>Thanks,<BR /> Brad</P> Tue, 29 Sep 2020 09:55:11 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-timestamps-not-parsed-via-HTTP-Event-Collector/m-p/204689#M40393 bradserbuddy 2020-09-29T09:55:11Z https://community.splunk.com/t5/Getting-Data-In/JSON-timestamps-not-parsed-via-HTTP-Event-Collector/m-p/204690#M40394 <P>I switched to using the Splunk-provided generic_single_line source type, and that doesn't work either. I am testing by POSTing to the collector, which has no TIME_PREFIX, and only posting the timestamp itself. It appears that I can only set the time via the "time" property on the enclosing JSON itself as detailed here: <A href="http://dev.splunk.com/view/SP-CAAAE6P" target="_blank">http://dev.splunk.com/view/SP-CAAAE6P</A>. Is that true?</P> Tue, 29 Sep 2020 09:56:16 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-timestamps-not-parsed-via-HTTP-Event-Collector/m-p/204690#M40394 bradserbuddy 2020-09-29T09:56:16Z https://community.splunk.com/t5/Getting-Data-In/JSON-timestamps-not-parsed-via-HTTP-Event-Collector/m-p/204691#M40395 <P>Our JSON endpoint for HTTP Event Collector does not do timestamp extraction. Our JSON endpoint expects events sent using a lightweight structure, our <A href="http://dev.splunk.com/view/event-collector/SP-CAAAE6P">JSON Event Protocol</A>. The plus side is your "event" payload can be any JSON (or not) / can have whitespace, newlines, etc and it will still come as a single event. For example you could also have a Java stack trace and it will easily go in as a single event. For the timestamp, you have to specify "time" explicitly outside the payload in the event envelope in epoch format i.e.</P> <P>{<BR /> "time": 1426279439, <BR /> "host": "localhost",<BR /> "source": "datasource",<BR /> "sourcetype": "txt",<BR /> "index": "main",<BR /> "event": { "hello": "world" }<BR /> }</P> <P>In Splunk Cloud / Splunk 6.4 you have a different option, our new <A href="http://dev.splunk.com/view/event-collector/SP-CAAAE8Y">raw endpoint</A>. With raw you can send an arbitrary payload to HEC (/services/collector/raw) and we will honor breaking rules and do timestamp extraction. It should I believe meet your need.</P> Sun, 12 Jun 2016 18:42:19 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-timestamps-not-parsed-via-HTTP-Event-Collector/m-p/204691#M40395 gblock_splunk 2016-06-12T18:42:19Z