Getting Data In

JSON timestamp not parsed via HTTP Event Collector in Splunk cluster

thol
Explorer

I have a similar issue as described in another question "JSON timestamps not parsed via HTTP Event Collector". But I'm seeing the issue only in a Splunk cluster setup. (Http request sending event to forwarder, then to indexer). Single node splunk instance works OK.

I've also tried to use the raw endpoint as described in the answer to the above question but still doesn't work. Event timestamp (_time) is always the current time of splunk server. Is there any way to have the splunk parse the timestamp inside the event in a forwarder setup?

Source type:
[x_perf]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = NONE
MAX_TIMESTAMP_LOOKAHEAD = -1
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = run_timestamp
TIME_FORMAT = %s
TRUNCATE = 512000
category = Custom
pulldown_type = 1

curl -k -u "x:UUID" https://forwarder:8088/services/collector/raw?channel=XXXXX --data-binary @json_file.json
==json file===
[
{
"event": {
"key1": "value1",
"key2": "value2",
"run_timestamp": 1513024571
},
"index": "x-index",
"sourcetype": "x_perf"
}
]

0 Karma

thol
Explorer

Splunk version 6.5.1 correctly uses the timestamp field from sourcetype but later versions including the latest 7.0.1 does not use timestamp from source type and always uses injection time.

0 Karma
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...