Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do you set custom timestamp for data ingested via Splunk SDK?

awalton
Splunk Employee
Splunk Employee
‎08-07-2021 11:27 PM

Using the Splunk SDK, I am ingesting json data into a splunk index via this line of code: 

index.submit(event, host="localhost", sourcetype="covid_vacc_data_ingest")

This line of code is working and data is ingested, but the timestamp is always the ingestion time rather then the date field on the event. Here is a screenshot of my settings in Splunk enterprise for this sourcetype: 

Screen Shot 2021-08-07 at 11.04.59 PM.png

Here is a screenshot of what the ingested data looks like: 

Screen Shot 2021-08-07 at 11.23.42 PM.png

I want the _time field on the left to be the date field on the right. Any suggestions? Not sure what I am doing wrong.

Thank you! 

Labels (1)
Labels
0 Karma
Reply

jhanvidattani
Path Finder
‎08-08-2021 05:57 AM

@awalton 

Can you add below setting in props.conf for json data ingested:

 

[covid_vacc_data_ingest]
DATETIME_CONFIG = None 
TIME_PREFIX = "date": 
TIME_FORMAT = %Y-%M-%D
...

 

DATETIME_CONFIG: Splunk will not to take any timestamp by default by this config
TIME_FORMAT and TIME_PREFIX: Splunk will take timestamp of format %Y-%M-%D from date field

If you find my solution fruitful an upvote will be appreciated.

0 Karma
Reply

awalton
Splunk Employee
Splunk Employee
‎08-09-2021 05:42 PM

@jhanvidattani  Thank you for the response.

This solution still did not work for me. What's strange is that if i manually upload the data via a file and assign it my sourcetype, it actually extracts the date field and assigns that as the timestamp. So, it must be something specifically happening when i ingest via the splunk sdk, correct?

0 Karma
Reply

jhanvidattani
Path Finder
‎08-10-2021 10:10 AM

Can you confirm whether the sdk sets the value of _time from code?

 

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...