Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How come I can't override _time with props?

nickdewijer
Explorer
‎02-26-2019 02:08 AM

Using an HTTP event collector on a heavy forwarder, I receive JSON that comes in as follows:

{
    "env":  "prod",
    "org":  "xxx",
    "percentile":  "95",
    "proxy":  "xxx",
    "region":  "europe-west1",
    "target":  "ALL",
    "time":  "2019-02-26T10:54:00.000+01:00",
    "totalLatency":  362,
    "targetLatency":  359
}

I want to override the indexing _time field with the timefield from the event. I've tried all forms of the following in Props:

[stansa]

TIMESTAMP_FIELDS = time
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N
TIME_PREFIX = time\":\s*\"
KV_MODE = json

but the _time sticks to indexing time with the Splunk event looking like this:

time
2019-02-26T10:54:00.000+01:00

_time
2019-02-26T10:55:11.000+01:00

Please help me understand why Splunk stubbornly refuses to recognize me passing it a timestamp.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎02-27-2019 07:11 AM

Here is the reason why no TIME parsing is done on JSON Endpoints:

https://answers.splunk.com/answers/411892/json-timestamps-not-parsed-via-http-event-collecto.html

View solution in original post

Reply
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎02-27-2019 07:11 AM

Here is the reason why no TIME parsing is done on JSON Endpoints:

https://answers.splunk.com/answers/411892/json-timestamps-not-parsed-via-http-event-collecto.html

Reply
Solved! Jump to solution

nickdewijer
Explorer
‎02-28-2019 03:42 AM

That's amazing, never knew. I've switched over to raw, had to play around with the props AND the data coming into the HEC but it's exactly as I want it now.

0 Karma
Reply
Solved! Jump to solution

tiagofbmm
Influencer
‎02-26-2019 07:47 AM

Forget about the TIMESTAM_FIELDS.

Keep the following configurations and make sure these are in the first Heavy Forwarder or Indexer through which the data is going

KV_MODE=json
TIME_PREFIX=time\":\s*\"
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD=24

0 Karma
Reply
Solved! Jump to solution

nickdewijer
Explorer
‎02-27-2019 04:54 AM

I've implemented this exactly, on the Heavy Forwarder that is hosting the HEC. No effect.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...