- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to do Timestamp extraction from hec?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi Splunk Gurus
Looking for some help please
I am trying to extract timestamp from json sent via hec token.
I have my inputs.conf and props.conf in same app and are deployed on heavy forwarders.
My props:
[hec:azure:nonprod:json]
MAX_TIMESTAMP_LOOKAHEAD = 512
TIME_PREFIX = createdDateTime\"\:\s+\"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S%Z
TZ = UTC
Sample event:
{"@odata.type": "#microsoft.graph.group", "id": "XXXXXXXXXXXXX", "deletedDateTime": null, "classification": null, "createdDateTime": "2022-06-03T02:05:02Z", "creationOptions": [], "description": null, "displayName": "global_admin", "expirationDateTime": null, "groupTypes": [], "isAssignableToRole": true, "mail": null, "mailEnabled": false, "mailNickname": "XXXX", "membershipRule": null, "membershipRuleProcessingState": null, "onPremisesDomainName": null, "onPremisesLastSyncDateTime": null, "onPremisesNetBiosName": null, "onPremisesSamAccountName": null, "onPremisesSecurityIdentifier": null, "onPremisesSyncEnabled": null, "preferredDataLocation": null, "preferredLanguage": null, "proxyAddresses": [], "renewedDateTime": "2022-06-03T02:05:02Z", "resourceBehaviorOptions": [], "resourceProvisioningOptions": [], "securityEnabled": true, "securityIdentifier": "XXXXXXXXXXXXX", "theme": null, "visibility": "Private", "onPremisesProvisioningErrors": [], "serviceProvisioningErrors": [], "graphendpointtype": "directoryroles"}
Wanted to extract timestamp from createdDateTime field.
I tried TIMESTAMP_FIELDS = createdDateTime,
and
INGEST_EVAL=_time=strptime(spath(_raw,"createdDateTime"), "%Y-%m-%dT%H:%M:%S%Z")
as per previous answers.splunk posts but nothing worked, splunk still picks up index time only.
What am I doing wrong here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are using /services/collector/event end point to send events, try changing it to /services/collector/raw.
Test using below commands
curl -vvvv -k https://hecendpoint:8088/services/collector/raw -H "Authorization: Splunk XXXXXXXXXXXX" -d '{"id": "raw-message", "createdDateTime": "2023-09-23T11:11:11Z"}'
curl -vvvv -k https://splunkviphec.bbl.int:8088/services/collector/event -H "Authorization: Splunk XXXXXXXXXXXXXXX" -d '{"event":{"id": "event-message", "createdDateTime": "2023-09-23T11:11:11Z"}}'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are using /services/collector/event end point to send events, try changing it to /services/collector/raw.
Test using below commands
curl -vvvv -k https://hecendpoint:8088/services/collector/raw -H "Authorization: Splunk XXXXXXXXXXXX" -d '{"id": "raw-message", "createdDateTime": "2023-09-23T11:11:11Z"}'
curl -vvvv -k https://splunkviphec.bbl.int:8088/services/collector/event -H "Authorization: Splunk XXXXXXXXXXXXXXX" -d '{"event":{"id": "event-message", "createdDateTime": "2023-09-23T11:11:11Z"}}'
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
