Getting Data In

How to assign the _time to the value that comes from time_prefix and set it within each forced sourcetype?

davspl1
New Member

Hello,

I am trying to set _time from a given stanza that occurs after the sourcetype stanza is forced. I am using a generic or catch-all sourcetype stanza initially to receive data from the HTTP event collector and then force the events to their appropriate sourcetype from transforms. This sourcetype forcing works perfectly and assigns to the correct source type 2, 3, 4 below, as expected.

Now, I want to be able to set the _time to the value that comes from the time_prefix that is defined within each forced stanza, but this is not working. The _time is always being set to any time_prefix in the first stanza ( sourcetype_1 ), or if I don't specify a time_prefix in the first stanza, Splunk will still assign a _time based on the default time rules.

Is there any way to have the _time set within each forced sourcetype stanza, or will it only be able to work form the first stanza at index time? I could probably create my own datetime.xml, but I was hoping to use the forcing of the sourcetype and have the _time value set within each forced sourcetype stanza. Below is an example:

[sourcetype_1 catch all]

Do not assign _time here
Force sourcetypes 2-4 and have _time assigned in those stanza's

[sourcetype_2]

Want _time set here based on time_prefix.

[sourcetype_3]

Want _time set here based on time_prefix.

[sourcetype_4]

Want _time set here based on time_prefix
Labels (2)
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...