Re: How do you set custom timestamp for data inges...

awalton · ‎08-07-2021

Using the Splunk SDK, I am ingesting json data into a splunk index via this line of code:

index.submit(event, host="localhost", sourcetype="covid_vacc_data_ingest")

This line of code is working and data is ingested, but the timestamp is always the ingestion time rather then the date field on the event. Here is a screenshot of my settings in Splunk enterprise for this sourcetype:

Here is a screenshot of what the ingested data looks like:

I want the _time field on the left to be the date field on the right. Any suggestions? Not sure what I am doing wrong.

Thank you!

jhanvidattani · ‎08-08-2021

@awalton

Can you add below setting in props.conf for json data ingested:

[covid_vacc_data_ingest]
DATETIME_CONFIG = None 
TIME_PREFIX = "date": 
TIME_FORMAT = %Y-%M-%D
...

DATETIME_CONFIG: Splunk will not to take any timestamp by default by this config
TIME_FORMAT and TIME_PREFIX: Splunk will take timestamp of format %Y-%M-%D from date field

If you find my solution fruitful an upvote will be appreciated.

awalton · ‎08-09-2021

@jhanvidattani Thank you for the response.

This solution still did not work for me. What's strange is that if i manually upload the data via a file and assign it my sourcetype, it actually extracts the date field and assigns that as the timestamp. So, it must be something specifically happening when i ingest via the splunk sdk, correct?

jhanvidattani · ‎08-10-2021

Can you confirm whether the sdk sets the value of _time from code?

How do you set custom timestamp for data ingested via Splunk SDK?

props.conf

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

Video | Tom’s Smartness Journey Continues

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?