JSON timestamp not parsed via HTTP Event Collector...

thol · ‎12-11-2017

I have a similar issue as described in another question "JSON timestamps not parsed via HTTP Event Collector". But I'm seeing the issue only in a Splunk cluster setup. (Http request sending event to forwarder, then to indexer). Single node splunk instance works OK.

I've also tried to use the raw endpoint as described in the answer to the above question but still doesn't work. Event timestamp (_time) is always the current time of splunk server. Is there any way to have the splunk parse the timestamp inside the event in a forwarder setup?

Source type:
[x_perf]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = NONE
MAX_TIMESTAMP_LOOKAHEAD = -1
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = run_timestamp
TIME_FORMAT = %s
TRUNCATE = 512000
category = Custom
pulldown_type = 1

curl -k -u "x:UUID" https://forwarder:8088/services/collector/raw?channel=XXXXX --data-binary @json_file.json
==json file===
[
{
"event": {
"key1": "value1",
"key2": "value2",
"run_timestamp": 1513024571
},
"index": "x-index",
"sourcetype": "x_perf"
}
]

thol · ‎12-14-2017

Splunk version 6.5.1 correctly uses the timestamp field from sourcetype but later versions including the latest 7.0.1 does not use timestamp from source type and always uses injection time.

JSON timestamp not parsed via HTTP Event Collector in Splunk cluster

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation