Ingest events from AWS SQS but how to config times...

Getting Data In

I am a newbie and I have understood basics on how to use the props.conf. But I dont find any doc on ingesting events from AWS SQS then how do I config the props.conf file to include event_timestamp as _time.

Definition says in props.conf is always based on source | sourcetype | host; correct me here if I am wrong. But in case of AWS SQS, all the 3 values are same for more than 1 index. I want this change only for 1 specific index.

Appreciate some insight

sourcetype: aws:s3:accesslogs
source: "s3://jjacob-stats/prod/*.gz"
host: ip-10-0-0-255

Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now! In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...