Hi,
I have the following json which I put in through HEC:
{
"message": {
"metadata": {
"id": "https://...",
"uri": "https://...",
"type": "com...."
},
"messageGuid": "AF8aCGJx-9ZI-JGyvFTGoSufbXlA",
"correlationId": "AF8aCGI8ISFZGiG8eh9NAegmK2q5",
"logStart": "2020-07-23T22:00:02.4",
"logEnd": "2020-07-23T22:00:10.866",
"integrationFlowName": "Sample_Flow",
"status": "DONE",
"alternateWebLink": "https://...",
"logLevel": "INFO",
"customStatus": "DONE",
"transactionId": "afdfb636cbce4dd0b537b6623954a490"
}
}I log it with the splunk logging library (appender is com.splunk.logging.HttpEventCollectorLogbackAppender) with a defined sourcetype.
The _time attribute of the event in Splunk I need to set with the value of the json field "logStart".
For this purpose I have the following settings in the sourcetype:
As result I get the following json in Splunk:
{
"severity": "INFO",
"logger": "SplunkLogger",
"time": "1595593644.384",
"thread": "http-nio-8080-exec-1",
"message": {
"metadata": {
"id": "https://...",
"uri": "https://...",
"type": "com...."
},
"messageGuid": "AF8aCGJx-9ZI-JGyvFTGoSufbXlA",
"correlationId": "AF8aCGI8ISFZGiG8eh9NAegmK2q5",
"logStart": "2020-07-23T22:00:02.4",
"logEnd": "2020-07-23T22:00:10.866",
"integrationFlowName": "Sample_Flow",
"status": "DONE",
"alternateWebLink": "https://...",
"logLevel": "INFO",
"customStatus": "DONE",
"transactionId": "afdfb636cbce4dd0b537b6623954a490"
}
}And the _time value has been setted on base of the epoch time, that was generated via the splunk appender (current log time).
I didn't find any possibility to influence the generation of the "time" field in the splunk logging library:
https://github.com/splunk/splunk-library-javalogging
How can I let Splunk set the _time value on base of the specific json field "logStart"?
Thanks a lot
Best regards
Hello,
now I find the reason:
In another thread @hernanb postet, that the "event" end point of HEC is forwarding the data directly without parsing to the indexing (additionally HEC has a "raw" endpoint, that parses the data before). Here the link to the thread:
As I use the Splunk-Logging-Library (it is using by default the "event" end point), I needed to add a "type" element in the appender configuration (with the value 'raw'):
<Appender name="Splunk_HEC_Local"
class="com.splunk.logging.HttpEventCollectorLogbackAppender">
<url>https://localhost:8088</url>
<token>aaaaaaaaa-bbbbbbbbb-cccccccc</token>
<disableCertificateValidation>true</disableCertificateValidation>
<batch_size_count>1</batch_size_count>
<sourcetype>odata_mpl_message_json</sourcetype>
<source>Splunk-Integration</source>
<layout class="ch.qos.logback.classic.PatternLayout">
<pattern>%msg</pattern>
</layout>
<type>raw</type>
</Appender>
Then I changed the props.conf to the original expected solution:
[odata_mpl_message_json]
CHARSET = UTF-8
INDEXED_EXTRACTIONS = json
KV_MODE = none
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = 1
TIME_FORMAT=%FT%T.%3N
TIMESTAMP_FIELDS=event.message.logStart
LINE_BREAKER = ([\r\n]+)
category = Custom
description = ODATA SCPI MPL JSON
When I send logs over the HEC now, the events have a little different structure with an "event" field:
 |
Then as you can see in the screenshot, the _time event attribute has been setted on base of the json field "event.message.logStart".
To find this solution it was necessary to look to the source code of the classes HttpEventCollectorSender.java and HttpEventCollectorLoggingHandler because this aspect is not documented.
Nevertheless thanks for your support.
thanks for your replies,
I changed now the configuration as following
 |
 |
But the result is the same:
 |
Any other comments/suggestions?
Thanks a lot.
I tried w/o TIME_FORMAT and without TIME_PREFIX and changed the TIMESTAMP_FIELDS as you suggested.
I see no change.
In the configuration I realized, that the UI is not allowing me to change to SHOULD_LINEMERGE = false
The UI is changing it automatically to SHOULD_LINEMERGE = true
Here the latest configuration:
 |
 |
Which other points can effect, that Splunk is taking the generated time attribute?
Do you know any impacts due to KV_MODE and INDEXED_EXTRACTIONS?
As I've written, I removed the TIME_FORMAT before, without any effect.
Here the configuration now:
 |
The result ist the same:
 |
I guess you mean the time field in the below (marked blue):
 |
This field is generated via the Splunk logging library, as I explained in my first entry here.
I cannot influence the generation of this field (together with the other fields severity, thread and logger).
Would it help to convert the message.logStart value to epoch time, or would Splunk ever take the generated time field in the json root element?
Hi,
I corrected the configuration in the following way:
[odata_mpl_message_json]
CHARSET = UTF-8
INDEXED_EXTRACTIONS = json
KV_MODE = none
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = 1
TIME_FORMAT = %FT%T.%3N
TIMESTAMP_FIELDS = message.logStart
category = Custom
description = ODATA SCPI MPL JSON
NO_BINARY_CHECK = trueBut result is the same.
And by the way: If I open the configuration above in the UI, the UI is putting the LINE_BREACKER option to the configuration:
 |
Hello,
now I find the reason:
In another thread @hernanb postet, that the "event" end point of HEC is forwarding the data directly without parsing to the indexing (additionally HEC has a "raw" endpoint, that parses the data before). Here the link to the thread:
As I use the Splunk-Logging-Library (it is using by default the "event" end point), I needed to add a "type" element in the appender configuration (with the value 'raw'):
<Appender name="Splunk_HEC_Local"
class="com.splunk.logging.HttpEventCollectorLogbackAppender">
<url>https://localhost:8088</url>
<token>aaaaaaaaa-bbbbbbbbb-cccccccc</token>
<disableCertificateValidation>true</disableCertificateValidation>
<batch_size_count>1</batch_size_count>
<sourcetype>odata_mpl_message_json</sourcetype>
<source>Splunk-Integration</source>
<layout class="ch.qos.logback.classic.PatternLayout">
<pattern>%msg</pattern>
</layout>
<type>raw</type>
</Appender>
Then I changed the props.conf to the original expected solution:
[odata_mpl_message_json]
CHARSET = UTF-8
INDEXED_EXTRACTIONS = json
KV_MODE = none
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = 1
TIME_FORMAT=%FT%T.%3N
TIMESTAMP_FIELDS=event.message.logStart
LINE_BREAKER = ([\r\n]+)
category = Custom
description = ODATA SCPI MPL JSON
When I send logs over the HEC now, the events have a little different structure with an "event" field:
|
Then as you can see in the screenshot, the _time event attribute has been setted on base of the json field "event.message.logStart".
To find this solution it was necessary to look to the source code of the classes HttpEventCollectorSender.java and HttpEventCollectorLoggingHandler because this aspect is not documented.
Nevertheless thanks for your support.
