Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to disable overriding a timestamp from event data?

akorzun
Explorer
‎05-08-2015 09:36 AM

Hello All,

I am writing a modular input in Java. It streams events in xml format. The example:

<event>
<time>1330717125</time>
<data>timestamp=2015-05-06 08:56:06.767</data>
</event>

The timestamp from event data overrides the time from "time" element. Ho to disable it?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎05-08-2015 10:30 AM

You might want to take a look here at some structural examples that the Master of All things Modular Inputs has done. http://blogs.splunk.com/2013/04/16/modular-inputs-tools/

Basically... when I user creates an input from your modular input, they then need to specify the sourcetype. You can set a default sourcetype, but that's kind of outside the concept of a modular input, and more an "app that streams some specific data"

Meaning... the Modular input gets the data based on the credentials etc... you provide and it streams it in. The modular input itself doesn't define what the events look like beyond the skeleton of the structure you expect... that happens in props.conf
The sourcetype would have a TIME_PREFIX= value something like:

TIME_PREFIX=\&lt;time\&gt;

Right now... with no sourcetype Splunk looks at the data, see's something marked "timestamp" and goes for that one.

So your modular input creates an inputs.conf
Unless you do it yourself, that'll be with no sourcetype
Just naming a sourcetype without creating specific attributes, will force Splunk to just do it's best to figure out what the timestamp is.
Your data basically has a sign that says "This is the timestamp!" 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

Reply
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎05-08-2015 10:30 AM

You might want to take a look here at some structural examples that the Master of All things Modular Inputs has done. http://blogs.splunk.com/2013/04/16/modular-inputs-tools/

Basically... when I user creates an input from your modular input, they then need to specify the sourcetype. You can set a default sourcetype, but that's kind of outside the concept of a modular input, and more an "app that streams some specific data"

Meaning... the Modular input gets the data based on the credentials etc... you provide and it streams it in. The modular input itself doesn't define what the events look like beyond the skeleton of the structure you expect... that happens in props.conf
The sourcetype would have a TIME_PREFIX= value something like:

TIME_PREFIX=\&lt;time\&gt;

Right now... with no sourcetype Splunk looks at the data, see's something marked "timestamp" and goes for that one.

So your modular input creates an inputs.conf
Unless you do it yourself, that'll be with no sourcetype
Just naming a sourcetype without creating specific attributes, will force Splunk to just do it's best to figure out what the timestamp is.
Your data basically has a sign that says "This is the timestamp!" 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Reply
Solved! Jump to solution

akorzun
Explorer
‎05-11-2015 04:28 AM

Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk &#43; Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...