<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: TIMESTAMP_FIELDS for different sources and timestamps using same sourcetype _json in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/TIMESTAMP-FIELDS-for-different-sources-and-timestamps-using-same/m-p/482035#M82608</link>
    <description>&lt;P&gt;This works, thanks :&lt;/P&gt;

&lt;P&gt;UF&lt;/P&gt;

&lt;P&gt;props.conf&lt;BR /&gt;
[metrics_json]&lt;BR /&gt;
TIMESTAMP_FIELDS = start&lt;BR /&gt;
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z&lt;BR /&gt;
INDEXED_EXTRACTIONS = json&lt;/P&gt;

&lt;P&gt;inputs.conf&lt;BR /&gt;
[monitor:///VAR/logs/metrics.log]&lt;BR /&gt;
blacklist = archives&lt;BR /&gt;
disabled = false&lt;BR /&gt;
index = ppr_app&lt;BR /&gt;
sourcetype = metrics_json&lt;/P&gt;

&lt;HR /&gt;

&lt;P&gt;IDX&lt;/P&gt;

&lt;P&gt;props.conf&lt;/P&gt;

&lt;P&gt;[metrics_json]&lt;BR /&gt;
TIMESTAMP_FIELDS = start&lt;BR /&gt;
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z&lt;/P&gt;

&lt;HR /&gt;

&lt;P&gt;SH&lt;/P&gt;

&lt;P&gt;props.conf&lt;BR /&gt;
[metrics_json]&lt;BR /&gt;
KV_MODE = json&lt;/P&gt;</description>
    <pubDate>Wed, 30 Sep 2020 02:17:44 GMT</pubDate>
    <dc:creator>splunkreal</dc:creator>
    <dc:date>2020-09-30T02:17:44Z</dc:date>
    <item>
      <title>TIMESTAMP_FIELDS for different sources and timestamps using same sourcetype _json</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/TIMESTAMP-FIELDS-for-different-sources-and-timestamps-using-same/m-p/482033#M82606</link>
      <description>&lt;P&gt;Hello guys,&lt;/P&gt;

&lt;P&gt;TIMESTAMP_FIELDS must be setup in props.conf on indexers side, therefore how to use TIMESTAMP_FIELDS for different sources and timestamps using same sourcetype _json? Must we define sub-sourcetypes? Is it possible and how?&lt;/P&gt;

&lt;P&gt;First source :&lt;/P&gt;

&lt;P&gt;[_json] &lt;BR /&gt;
TIMESTAMP_FIELDS = @&lt;STRONG&gt;timestamp&lt;/STRONG&gt; &lt;BR /&gt;
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z &lt;/P&gt;

&lt;P&gt;Second source :&lt;/P&gt;

&lt;P&gt;[_json] &lt;BR /&gt;
TIMESTAMP_FIELDS = @&lt;STRONG&gt;start&lt;/STRONG&gt;&lt;BR /&gt;
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z &lt;/P&gt;

&lt;P&gt;Thanks.&lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 02:12:02 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/TIMESTAMP-FIELDS-for-different-sources-and-timestamps-using-same/m-p/482033#M82606</guid>
      <dc:creator>splunkreal</dc:creator>
      <dc:date>2020-09-30T02:12:02Z</dc:date>
    </item>
    <item>
      <title>Re: TIMESTAMP_FIELDS for different sources and timestamps using same sourcetype _json</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/TIMESTAMP-FIELDS-for-different-sources-and-timestamps-using-same/m-p/482034#M82607</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;When you start splunk, splunk merges all stanza and parameters from same type of configuration file defined in various apps and &lt;CODE&gt;system/default&lt;/CODE&gt; &amp;amp; &lt;CODE&gt;system/local&lt;/CODE&gt; . When you define same parameter for same sourcetype in same configuration file (Here in your case props.conf)  then precedence order will come into picture. Have a look at &lt;A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Wheretofindtheconfigurationfiles"&gt;https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Wheretofindtheconfigurationfiles&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;The way you want to achieve &lt;STRONG&gt;might&lt;/STRONG&gt; not possible using &lt;STRONG&gt;sourcetype&lt;/STRONG&gt; but if you have different &lt;STRONG&gt;source&lt;/STRONG&gt; for both the data then you can use below configuration&lt;/P&gt;

&lt;P&gt;props.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[source::yourSource1]
TIMESTAMP_FIELDS = @timestamp
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z

[source::yourSource2]
TIMESTAMP_FIELDS = @start
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z 
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;OR you can try below config, if you want to use &lt;STRONG&gt;sourcetype&lt;/STRONG&gt; but I'll not suggest to modify default sourcetype which ships with Splunk installation. Best practice is to create your own sourcetype.&lt;/P&gt;

&lt;P&gt;props.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[yourSourcetype]
TIMESTAMP_FIELDS = @timestamp,@start
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Wed, 18 Sep 2019 08:47:52 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/TIMESTAMP-FIELDS-for-different-sources-and-timestamps-using-same/m-p/482034#M82607</guid>
      <dc:creator>harsmarvania57</dc:creator>
      <dc:date>2019-09-18T08:47:52Z</dc:date>
    </item>
    <item>
      <title>Re: TIMESTAMP_FIELDS for different sources and timestamps using same sourcetype _json</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/TIMESTAMP-FIELDS-for-different-sources-and-timestamps-using-same/m-p/482035#M82608</link>
      <description>&lt;P&gt;This works, thanks :&lt;/P&gt;

&lt;P&gt;UF&lt;/P&gt;

&lt;P&gt;props.conf&lt;BR /&gt;
[metrics_json]&lt;BR /&gt;
TIMESTAMP_FIELDS = start&lt;BR /&gt;
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z&lt;BR /&gt;
INDEXED_EXTRACTIONS = json&lt;/P&gt;

&lt;P&gt;inputs.conf&lt;BR /&gt;
[monitor:///VAR/logs/metrics.log]&lt;BR /&gt;
blacklist = archives&lt;BR /&gt;
disabled = false&lt;BR /&gt;
index = ppr_app&lt;BR /&gt;
sourcetype = metrics_json&lt;/P&gt;

&lt;HR /&gt;

&lt;P&gt;IDX&lt;/P&gt;

&lt;P&gt;props.conf&lt;/P&gt;

&lt;P&gt;[metrics_json]&lt;BR /&gt;
TIMESTAMP_FIELDS = start&lt;BR /&gt;
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z&lt;/P&gt;

&lt;HR /&gt;

&lt;P&gt;SH&lt;/P&gt;

&lt;P&gt;props.conf&lt;BR /&gt;
[metrics_json]&lt;BR /&gt;
KV_MODE = json&lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 02:17:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/TIMESTAMP-FIELDS-for-different-sources-and-timestamps-using-same/m-p/482035#M82608</guid>
      <dc:creator>splunkreal</dc:creator>
      <dc:date>2020-09-30T02:17:44Z</dc:date>
    </item>
  </channel>
</rss>

