Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I can not set TIME_FORMAT for event in props.conf

noukash
Explorer
‎08-22-2019 08:30 AM

Hello, splunk community.
I am new to splunk and already reviewed ton of info on the topic but I still can't get why I can't get splunk light to read _time from my event.
The event sent looks like this
{"event": {
"attributed_touch_type": "",
"attributed_touch_time": "",
"event_time": "2019-08-22 10:10:10",
"event_name": "install",
"event_value": "",
"event_revenue": "",
}}
I configure my props.conf file here
... /opt/splunk/etc/system/local/
with the following params
[appsflyer]
ATETIME_CONFIG = NONE
TIME_PREFIX = \"event_time\" :\"
MAX_TIMESTAMP_LOOKAHEAD = 9999
TIME_FORMAT = %Y-%m-%d %H:%M:%S

I reset server several times and made sure data was indexed after reset. Any idea why splunk would not recognize my event_time for _time? Any help would be appreciated.
Thank you in advance.

0 Karma
Reply

woodcock
Esteemed Legend
‎09-02-2019 09:27 AM

If your settings are correct, it must be something else. If you are doing a sourcetype override/overwrite, you must use the ORIGINAL value, NOT the new value. You must deploy your settings to the first full instance(s) of Splunk that handle the events (usually either the HF tier if you use one, or else your Indexer tier), restart all Splunk instances there, send in new events (old events will stay broken), then test using _index_earliest=-5m to be absolutely certain that you are only examining the newly indexed events.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-22-2019 08:35 AM

Hi noukash,
wher do you created this props.conf file?
You have to put it in the Indexer not in the Forwarder.

In addition it isn't a best practice to put it in /opt/splunk/etc/system/local/ but it's better to put it in a dedicated App.

Bye.
Giuseppe

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...