https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-consider-quot-time-quot-as-quot-time-quot-on/m-p/646931#M223916 <P>Hi</P><P>There are ways to do it. I point to another answers where it has solved:</P><UL><LI><A href="https://community.splunk.com/t5/Getting-Data-In/HEC-timestamp-recognition/m-p/537762" target="_blank">https://community.splunk.com/t5/Getting-Data-In/HEC-timestamp-recognition/m-p/537762</A></LI><LI><A href="https://community.splunk.com/t5/Getting-Data-In/JSON-timestamps-not-parsed-via-HTTP-Event-Collector/m-p/204689" target="_blank">https://community.splunk.com/t5/Getting-Data-In/JSON-timestamps-not-parsed-via-HTTP-Event-Collector/m-p/204689</A></LI><LI><A href="https://community.splunk.com/t5/Getting-Data-In/Http-Event-Collector-ignores-JSON-timestamp/m-p/497681" target="_blank">https://community.splunk.com/t5/Getting-Data-In/Http-Event-Collector-ignores-JSON-timestamp/m-p/497681</A></LI><LI><A href="https://community.splunk.com/t5/Getting-Data-In/HEC-How-to-set-time-on-base-of-a-specific-JSON-field/m-p/515486" target="_blank">https://community.splunk.com/t5/Getting-Data-In/HEC-How-to-set-time-on-base-of-a-specific-JSON-field/m-p/515486</A></LI></UL><P>There are several other post covering this. Main point is use raw endpoint or set time field on json's "header" part outside of actual payload.</P><P>r. Ismo</P> Wed, 14 Jun 2023 08:21:33 GMT isoutamo 2023-06-14T08:21:33Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-consider-quot-time-quot-as-quot-time-quot-on/m-p/646929#M223914 <P>Hi</P> <P>I have logstash config that send logs to Splunk HEC.</P> <P>these data contain field that call "time".</P> <P>Now question is: Is it possible to consider "time" as "_time" on logstash config?</P> <P>&nbsp;</P> <P>FYI: i want to consider this time as _time not the time that splunk receive it</P> <P>&nbsp;</P> <P>Any idea?</P> <P>Thanks</P> Thu, 15 Jun 2023 23:08:56 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-consider-quot-time-quot-as-quot-time-quot-on/m-p/646929#M223914 indeed_2000 2023-06-15T23:08:56Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-consider-quot-time-quot-as-quot-time-quot-on/m-p/646931#M223916 <P>Hi</P><P>There are ways to do it. I point to another answers where it has solved:</P><UL><LI><A href="https://community.splunk.com/t5/Getting-Data-In/HEC-timestamp-recognition/m-p/537762" target="_blank">https://community.splunk.com/t5/Getting-Data-In/HEC-timestamp-recognition/m-p/537762</A></LI><LI><A href="https://community.splunk.com/t5/Getting-Data-In/JSON-timestamps-not-parsed-via-HTTP-Event-Collector/m-p/204689" target="_blank">https://community.splunk.com/t5/Getting-Data-In/JSON-timestamps-not-parsed-via-HTTP-Event-Collector/m-p/204689</A></LI><LI><A href="https://community.splunk.com/t5/Getting-Data-In/Http-Event-Collector-ignores-JSON-timestamp/m-p/497681" target="_blank">https://community.splunk.com/t5/Getting-Data-In/Http-Event-Collector-ignores-JSON-timestamp/m-p/497681</A></LI><LI><A href="https://community.splunk.com/t5/Getting-Data-In/HEC-How-to-set-time-on-base-of-a-specific-JSON-field/m-p/515486" target="_blank">https://community.splunk.com/t5/Getting-Data-In/HEC-How-to-set-time-on-base-of-a-specific-JSON-field/m-p/515486</A></LI></UL><P>There are several other post covering this. Main point is use raw endpoint or set time field on json's "header" part outside of actual payload.</P><P>r. Ismo</P> Wed, 14 Jun 2023 08:21:33 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-consider-quot-time-quot-as-quot-time-quot-on/m-p/646931#M223916 isoutamo 2023-06-14T08:21:33Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-consider-quot-time-quot-as-quot-time-quot-on/m-p/646935#M223918 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>is it possible to fix it in logstash ? instead in splunk?</P><P>how splunk decide what is the "_time"? always consider as receive time?</P> Wed, 14 Jun 2023 08:42:50 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-consider-quot-time-quot-as-quot-time-quot-on/m-p/646935#M223918 indeed_2000 2023-06-14T08:42:50Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-consider-quot-time-quot-as-quot-time-quot-on/m-p/646940#M223921 <P>As you send it via HEC you must told to splunk which field you want to use as _time otherwise it's used it's own heuristic to try to guess the correct time.</P><P>Here is described how this is happening&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps</A></P><P>&nbsp;</P> Wed, 14 Jun 2023 09:04:37 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-consider-quot-time-quot-as-quot-time-quot-on/m-p/646940#M223921 isoutamo 2023-06-14T09:04:37Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-consider-quot-time-quot-as-quot-time-quot-on/m-p/646981#M223940 <P>As splunk can guess timestamp is it possible to send data from logstash in somehow that splunk consider e.g field that in json format called “time” consider as _time?</P><P>without change splunk settings?</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 14 Jun 2023 13:49:44 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-consider-quot-time-quot-as-quot-time-quot-on/m-p/646981#M223940 indeed_2000 2023-06-14T13:49:44Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-consider-quot-time-quot-as-quot-time-quot-on/m-p/647035#M223961 You should read those above links. Those describe how it should do. Wed, 14 Jun 2023 20:21:04 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-consider-quot-time-quot-as-quot-time-quot-on/m-p/647035#M223961 isoutamo 2023-06-14T20:21:04Z