JSON timestamp not parsed via HTTP Event Collector...

thol · ‎12-11-2017

I have a similar issue as described in another question "JSON timestamps not parsed via HTTP Event Collector". But I'm seeing the issue only in a Splunk cluster setup. (Http request sending event to forwarder, then to indexer). Single node splunk instance works OK.

I've also tried to use the raw endpoint as described in the answer to the above question but still doesn't work. Event timestamp (_time) is always the current time of splunk server. Is there any way to have the splunk parse the timestamp inside the event in a forwarder setup?

Source type:
[x_perf]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = NONE
MAX_TIMESTAMP_LOOKAHEAD = -1
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = run_timestamp
TIME_FORMAT = %s
TRUNCATE = 512000
category = Custom
pulldown_type = 1

curl -k -u "x:UUID" https://forwarder:8088/services/collector/raw?channel=XXXXX --data-binary @json_file.json
==json file===
[
{
"event": {
"key1": "value1",
"key2": "value2",
"run_timestamp": 1513024571
},
"index": "x-index",
"sourcetype": "x_perf"
}
]

thol · ‎12-14-2017

Splunk version 6.5.1 correctly uses the timestamp field from sourcetype but later versions including the latest 7.0.1 does not use timestamp from source type and always uses injection time.

JSON timestamp not parsed via HTTP Event Collector in Splunk cluster

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University

4 Ways the Splunk Community Helps You Prepare for .conf25

Are you a member of the Splunk Community?

JSON timestamp not parsed via HTTP Event Collector in Splunk cluster

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University

4 Ways the Splunk Community Helps You Prepare for .conf25