Getting Data In

How do I set _time with collect _raw?

yurykiselev
Path Finder

Hi!
I have to collect some JSON "as is" - not as key-value pair. How can I set event timestamp in this case?

... | eval _time=strptime(...) | table _time _raw | collect index="..."

... doesn't work: _time is ignored with _raw present and replaced with cirrent time. I could do:

... | eval data = _raw | table _time data | collect ... 

, but it generates key-value-event with "data={my_json_from_raw}"

0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

Hi @yurykiselev,
If time is already in the _raw in a format that Splunk can understand easily then you will add addtime=false as a option with collect command and Splunk will automatically extracts time from _raw no need to extract separately.

If not the above scenario then you have to write props.conf for the source-type you are using.

  • If time format is weird then you must have specify time format into TIME_FORMAT. (This may help you in writing that format)

  • If time format is not available within first 128 characters of _raw event then you have to add MAX_TIMESTAMP_LOOKAHEAD.

  • You can also specify TIME_PREFIX. (props.conf may help you in all the configuration writing)

Hope this helps!!

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Hi @yurykiselev,
If time is already in the _raw in a format that Splunk can understand easily then you will add addtime=false as a option with collect command and Splunk will automatically extracts time from _raw no need to extract separately.

If not the above scenario then you have to write props.conf for the source-type you are using.

  • If time format is weird then you must have specify time format into TIME_FORMAT. (This may help you in writing that format)

  • If time format is not available within first 128 characters of _raw event then you have to add MAX_TIMESTAMP_LOOKAHEAD.

  • You can also specify TIME_PREFIX. (props.conf may help you in all the configuration writing)

Hope this helps!!

0 Karma

yurykiselev
Path Finder

Thank you! I added date at begin of data "%Y-%m-%d %H:%M:%S" - it's recignized without any props defineding.

VatsalJagani
SplunkTrust
SplunkTrust

Nice!!, This time format is identify by Splunk so good for you.

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...