Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set the _time in SC4S events to the current time/time event was recieved?

davidoff96
Path Finder
2 weeks ago

Some data would be mistagged as a different time zone, or would come in very late and would miss our alarms, since the _time was set in the past. Management also prefers our _time be essentially index time. How would I set that?

The following does NOT work in compliance_meta_by_source.csv:

f_name,.splunk._time,${R_UNIXTIME}

f_name,.splunk.time,${R_UNIXTIME}

f_name,.fields.time,${R_UNIXTIME}

f_name,.fields._time,${R_UNIXTIME}

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

davidoff96
Path Finder
2 weeks ago

Answering my own question, mostly in case I need to do this again in the future:

You can make sc4s set the _time to R_UNIXTIME (aka, the time syslog-ng actually recieved the event) by adding the following to the compliance_meta_by_source.csv file:

f_name,.netsource.sc4s_use_recv_time,"yes"

 

Explanation:

I noticed that you could do this because I cloned the repo, desperate for any sort of help I could get. In the project, you can find this funny little line tucked away:

davidoff96_0-1759154379578.png

Which apparently, though not documented anywhere I'm aware of, controls whether an event has the _time set to the time syslog-ng "guesses", or the time the event came in. I tested it on a noisy source, and you can see here that R_UNIXTIME and _time are the same:

davidoff96_1-1759154495982.png

In this example, test_time_stamp was hard coded to be R_UNIXTIME, and test_time_stamp_actual was evaled to be the event _time.

 

So the issue was with Dell Avamar specifically, so I did the following in compliance_meta_by_source.conf:

davidoff96_2-1759154602062.png

 

And the following in compliance_meta_by_source.csv:

davidoff96_3-1759154624250.png

Wanted to post this because I have had almost 0 luck with the documentation for sc4s in the past. Here's to any future sc4s spelunkers

davidoff96_4-1759154693875.png

 

View solution in original post

Reply
Solved! Jump to solution
Solution

davidoff96
Path Finder
2 weeks ago

Answering my own question, mostly in case I need to do this again in the future:

You can make sc4s set the _time to R_UNIXTIME (aka, the time syslog-ng actually recieved the event) by adding the following to the compliance_meta_by_source.csv file:

f_name,.netsource.sc4s_use_recv_time,"yes"

 

Explanation:

I noticed that you could do this because I cloned the repo, desperate for any sort of help I could get. In the project, you can find this funny little line tucked away:

davidoff96_0-1759154379578.png

Which apparently, though not documented anywhere I'm aware of, controls whether an event has the _time set to the time syslog-ng "guesses", or the time the event came in. I tested it on a noisy source, and you can see here that R_UNIXTIME and _time are the same:

davidoff96_1-1759154495982.png

In this example, test_time_stamp was hard coded to be R_UNIXTIME, and test_time_stamp_actual was evaled to be the event _time.

 

So the issue was with Dell Avamar specifically, so I did the following in compliance_meta_by_source.conf:

davidoff96_2-1759154602062.png

 

And the following in compliance_meta_by_source.csv:

davidoff96_3-1759154624250.png

Wanted to post this because I have had almost 0 luck with the documentation for sc4s in the past. Here's to any future sc4s spelunkers

davidoff96_4-1759154693875.png

 

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...