Hi!
I have to collect some JSON "as is" - not as key-value pair. How can I set event timestamp in this case?
... | eval _time=strptime(...) | table _time _raw | collect index="..."
... doesn't work: _time is ignored with _raw present and replaced with cirrent time. I could do:
... | eval data = _raw | table _time data | collect ...
, but it generates key-value-event with "data={my_json_from_raw}"
Hi @yurykiselev,
If time is already in the _raw in a format that Splunk can understand easily then you will add addtime=false
as a option with collect command and Splunk will automatically extracts time from _raw no need to extract separately.
If not the above scenario then you have to write props.conf for the source-type you are using.
If time format is weird then you must have specify time format into TIME_FORMAT. (This may help you in writing that format)
If time format is not available within first 128 characters of _raw event then you have to add MAX_TIMESTAMP_LOOKAHEAD.
You can also specify TIME_PREFIX. (props.conf may help you in all the configuration writing)
Hope this helps!!
Hi @yurykiselev,
If time is already in the _raw in a format that Splunk can understand easily then you will add addtime=false
as a option with collect command and Splunk will automatically extracts time from _raw no need to extract separately.
If not the above scenario then you have to write props.conf for the source-type you are using.
If time format is weird then you must have specify time format into TIME_FORMAT. (This may help you in writing that format)
If time format is not available within first 128 characters of _raw event then you have to add MAX_TIMESTAMP_LOOKAHEAD.
You can also specify TIME_PREFIX. (props.conf may help you in all the configuration writing)
Hope this helps!!
Thank you! I added date at begin of data "%Y-%m-%d %H:%M:%S" - it's recignized without any props defineding.
Nice!!, This time format is identify by Splunk so good for you.