https://community.splunk.com/t5/Splunk-Search/index-time-with-specific-field-is-not-working/m-p/567374#M197718 <P>We used the rest <STRONG>receivers simple</STRONG> api to send a body with some fields to index as a urlencoded form.<BR />Among these there is a field <STRONG>time</STRONG> field containing a timestamp. We configure the sourcetype as in figure</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-09-16 at 15.27.33.png" style="width: 803px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16025iEE1661B1A7671EE2/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2021-09-16 at 15.27.33.png" alt="Screenshot 2021-09-16 at 15.27.33.png" /></span></P><P>The problem is that Splunk is indexing <SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>when it receives the data</SPAN></SPAN></SPAN> ( <SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>as if datetime was CURRENT or it found no fields with time information) .</SPAN></SPAN></SPAN></P><P><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b">An example of the data is </SPAN></SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">name=session_started&amp;params=%7B%22request_id%22%3A+%220af2918a-0125-4573-9a27-bd1a6deef75d%22%2C+%22subject%22%3A+%22mmt-112%22%7D&amp;time=2021-09-16T09%3A24%3A08.355865</LI-CODE><P>&nbsp;</P><P><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>we thought that the encoded data could be a problem so </SPAN></SPAN></SPAN><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>we changed the format of the body sent to splunk to json</SPAN></SPAN></SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">{"name": "session_started", "params": "{\"request_id\": \"0af2918a-0125-4573-9a27-bd1a6deef75d\", \"subject\": \"mmt-112\"}", "time": "2021-09-16T09:24:08.355865"}</LI-CODE><P>&nbsp;</P><P>but the <STRONG>_time </STRONG>was again the time of recevieng.</P><P>We tried several tweaks but none of them had success:</P><UL><LI><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>we checked the format of the strptime ("% Y-% m-% dT% H:% M:% S.% 6N") and it is correct, e.g.</SPAN></SPAN> <SPAN class="JLqJ4b ChMk0b"><SPAN>"2021-08-31T18: 15: 20.268841"</SPAN></SPAN> </SPAN></LI><LI><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>we tried to explicitly set the timezone (our times are in UTC) but nothing has changed</SPAN></SPAN>&nbsp;</SPAN></LI><LI><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>No error or warning in the internal log, even if we try to put a non-existent field instead of <STRONG>time. </STRONG></SPAN></SPAN></SPAN></LI><LI><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>When searching using that sourcetype, the field time is parsed correctly, so the system is reading correctly.</SPAN></SPAN></SPAN></LI></UL><P>Any suggestion? What to do? What to try?</P><P>A big thanks to the Splunk gurus that will help us!</P> Fri, 17 Sep 2021 08:25:32 GMT fabiofox 2021-09-17T08:25:32Z https://community.splunk.com/t5/Splunk-Search/index-time-with-specific-field-is-not-working/m-p/567374#M197718 <P>We used the rest <STRONG>receivers simple</STRONG> api to send a body with some fields to index as a urlencoded form.<BR />Among these there is a field <STRONG>time</STRONG> field containing a timestamp. We configure the sourcetype as in figure</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-09-16 at 15.27.33.png" style="width: 803px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16025iEE1661B1A7671EE2/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2021-09-16 at 15.27.33.png" alt="Screenshot 2021-09-16 at 15.27.33.png" /></span></P><P>The problem is that Splunk is indexing <SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>when it receives the data</SPAN></SPAN></SPAN> ( <SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>as if datetime was CURRENT or it found no fields with time information) .</SPAN></SPAN></SPAN></P><P><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b">An example of the data is </SPAN></SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">name=session_started&amp;params=%7B%22request_id%22%3A+%220af2918a-0125-4573-9a27-bd1a6deef75d%22%2C+%22subject%22%3A+%22mmt-112%22%7D&amp;time=2021-09-16T09%3A24%3A08.355865</LI-CODE><P>&nbsp;</P><P><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>we thought that the encoded data could be a problem so </SPAN></SPAN></SPAN><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>we changed the format of the body sent to splunk to json</SPAN></SPAN></SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">{"name": "session_started", "params": "{\"request_id\": \"0af2918a-0125-4573-9a27-bd1a6deef75d\", \"subject\": \"mmt-112\"}", "time": "2021-09-16T09:24:08.355865"}</LI-CODE><P>&nbsp;</P><P>but the <STRONG>_time </STRONG>was again the time of recevieng.</P><P>We tried several tweaks but none of them had success:</P><UL><LI><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>we checked the format of the strptime ("% Y-% m-% dT% H:% M:% S.% 6N") and it is correct, e.g.</SPAN></SPAN> <SPAN class="JLqJ4b ChMk0b"><SPAN>"2021-08-31T18: 15: 20.268841"</SPAN></SPAN> </SPAN></LI><LI><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>we tried to explicitly set the timezone (our times are in UTC) but nothing has changed</SPAN></SPAN>&nbsp;</SPAN></LI><LI><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>No error or warning in the internal log, even if we try to put a non-existent field instead of <STRONG>time. </STRONG></SPAN></SPAN></SPAN></LI><LI><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>When searching using that sourcetype, the field time is parsed correctly, so the system is reading correctly.</SPAN></SPAN></SPAN></LI></UL><P>Any suggestion? What to do? What to try?</P><P>A big thanks to the Splunk gurus that will help us!</P> Fri, 17 Sep 2021 08:25:32 GMT https://community.splunk.com/t5/Splunk-Search/index-time-with-specific-field-is-not-working/m-p/567374#M197718 fabiofox 2021-09-17T08:25:32Z https://community.splunk.com/t5/Splunk-Search/index-time-with-specific-field-is-not-working/m-p/567641#M197833 <P>I used your event string as a test:</P><P><SPAN>{"name": "session_started", "params": "{\"request_id\": \"0af2918a-0125-4573-9a27-bd1a6deef75d\", \"subject\": \"mmt-112\"}", "time": "</SPAN><SPAN class="h">2021-09-16T09:24:08.355865</SPAN><SPAN>"}</SPAN></P><P>When I tried</P><P><STRONG>Timestamp Format&nbsp;%Y-%m-%dT%H:%M:%3</STRONG></P><P>with</P><P><STRONG>Timestamp Prefix&nbsp;time":\s"</STRONG></P><P>it already parsed the correct date and time in splunk</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Azeemering_0-1632134565211.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16062iD1562E4A86E14A56/image-size/large?v=v2&amp;px=999" role="button" title="Azeemering_0-1632134565211.png" alt="Azeemering_0-1632134565211.png" /></span></P><P>&nbsp;</P> Mon, 20 Sep 2021 10:43:03 GMT https://community.splunk.com/t5/Splunk-Search/index-time-with-specific-field-is-not-working/m-p/567641#M197833 Azeemering 2021-09-20T10:43:03Z https://community.splunk.com/t5/Splunk-Search/index-time-with-specific-field-is-not-working/m-p/567836#M197898 <P>it works! thanks</P> Tue, 21 Sep 2021 13:04:25 GMT https://community.splunk.com/t5/Splunk-Search/index-time-with-specific-field-is-not-working/m-p/567836#M197898 fabiofox 2021-09-21T13:04:25Z