Getting Data In

How to do Timestamp extraction from hec?

dinesh_bendigo
Explorer

hi Splunk Gurus

Looking for some help please

I am trying to extract timestamp from json sent via hec token.

I have my inputs.conf and props.conf in same app and are deployed on heavy forwarders.

My props:

 

[hec:azure:nonprod:json]
MAX_TIMESTAMP_LOOKAHEAD = 512
TIME_PREFIX = createdDateTime\"\:\s+\"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S%Z
TZ = UTC

 

Sample event:

 

{"@odata.type": "#microsoft.graph.group", "id": "XXXXXXXXXXXXX", "deletedDateTime": null, "classification": null, "createdDateTime": "2022-06-03T02:05:02Z", "creationOptions": [], "description": null, "displayName": "global_admin", "expirationDateTime": null, "groupTypes": [], "isAssignableToRole": true, "mail": null, "mailEnabled": false, "mailNickname": "XXXX", "membershipRule": null, "membershipRuleProcessingState": null, "onPremisesDomainName": null, "onPremisesLastSyncDateTime": null, "onPremisesNetBiosName": null, "onPremisesSamAccountName": null, "onPremisesSecurityIdentifier": null, "onPremisesSyncEnabled": null, "preferredDataLocation": null, "preferredLanguage": null, "proxyAddresses": [], "renewedDateTime": "2022-06-03T02:05:02Z", "resourceBehaviorOptions": [], "resourceProvisioningOptions": [], "securityEnabled": true, "securityIdentifier": "XXXXXXXXXXXXX", "theme": null, "visibility": "Private", "onPremisesProvisioningErrors": [], "serviceProvisioningErrors": [], "graphendpointtype": "directoryroles"}

 

Wanted to extract timestamp from createdDateTime field. 

I tried TIMESTAMP_FIELDS = createdDateTime, 

and

INGEST_EVAL=_time=strptime(spath(_raw,"createdDateTime"), "%Y-%m-%dT%H:%M:%S%Z")

as per previous answers.splunk posts but nothing worked, splunk still picks up index time only.

What am I doing wrong here? 

Tags (1)
0 Karma
1 Solution

dvg06
Path Finder

If  you are using /services/collector/event end point to send events, try changing it to /services/collector/raw.

Test using below commands

 

curl -vvvv -k https://hecendpoint:8088/services/collector/raw -H "Authorization: Splunk XXXXXXXXXXXX" -d '{"id": "raw-message", "createdDateTime": "2023-09-23T11:11:11Z"}'

curl -vvvv -k https://splunkviphec.bbl.int:8088/services/collector/event -H "Authorization: Splunk XXXXXXXXXXXXXXX" -d '{"event":{"id": "event-message", "createdDateTime": "2023-09-23T11:11:11Z"}}'

View solution in original post

dvg06
Path Finder

If  you are using /services/collector/event end point to send events, try changing it to /services/collector/raw.

Test using below commands

 

curl -vvvv -k https://hecendpoint:8088/services/collector/raw -H "Authorization: Splunk XXXXXXXXXXXX" -d '{"id": "raw-message", "createdDateTime": "2023-09-23T11:11:11Z"}'

curl -vvvv -k https://splunkviphec.bbl.int:8088/services/collector/event -H "Authorization: Splunk XXXXXXXXXXXXXXX" -d '{"event":{"id": "event-message", "createdDateTime": "2023-09-23T11:11:11Z"}}'

Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...