Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to disable overriding a timestamp from event data?

akorzun
Explorer
‎05-08-2015 09:36 AM

Hello All,

I am writing a modular input in Java. It streams events in xml format. The example:

<event>
<time>1330717125</time>
<data>timestamp=2015-05-06 08:56:06.767</data>
</event>

The timestamp from event data overrides the time from "time" element. Ho to disable it?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎05-08-2015 10:30 AM

You might want to take a look here at some structural examples that the Master of All things Modular Inputs has done. http://blogs.splunk.com/2013/04/16/modular-inputs-tools/

Basically... when I user creates an input from your modular input, they then need to specify the sourcetype. You can set a default sourcetype, but that's kind of outside the concept of a modular input, and more an "app that streams some specific data"

Meaning... the Modular input gets the data based on the credentials etc... you provide and it streams it in. The modular input itself doesn't define what the events look like beyond the skeleton of the structure you expect... that happens in props.conf
The sourcetype would have a TIME_PREFIX= value something like:

TIME_PREFIX=\&lt;time\&gt;

Right now... with no sourcetype Splunk looks at the data, see's something marked "timestamp" and goes for that one.

So your modular input creates an inputs.conf
Unless you do it yourself, that'll be with no sourcetype
Just naming a sourcetype without creating specific attributes, will force Splunk to just do it's best to figure out what the timestamp is.
Your data basically has a sign that says "This is the timestamp!" 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

Reply
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎05-08-2015 10:30 AM

You might want to take a look here at some structural examples that the Master of All things Modular Inputs has done. http://blogs.splunk.com/2013/04/16/modular-inputs-tools/

Basically... when I user creates an input from your modular input, they then need to specify the sourcetype. You can set a default sourcetype, but that's kind of outside the concept of a modular input, and more an "app that streams some specific data"

Meaning... the Modular input gets the data based on the credentials etc... you provide and it streams it in. The modular input itself doesn't define what the events look like beyond the skeleton of the structure you expect... that happens in props.conf
The sourcetype would have a TIME_PREFIX= value something like:

TIME_PREFIX=\&lt;time\&gt;

Right now... with no sourcetype Splunk looks at the data, see's something marked "timestamp" and goes for that one.

So your modular input creates an inputs.conf
Unless you do it yourself, that'll be with no sourcetype
Just naming a sourcetype without creating specific attributes, will force Splunk to just do it's best to figure out what the timestamp is.
Your data basically has a sign that says "This is the timestamp!" 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Reply
Solved! Jump to solution

akorzun
Explorer
‎05-11-2015 04:28 AM

Thank you!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...