Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk JSON timestamp in KV_MODE

Jakub
Explorer
‎08-04-2021 05:51 AM

Hi All,

I have Event timestamp with miliseconds:

Jakub_0-1628080741810.png

_time with Unix epoch seconds:

Jakub_1-1628080790910.png

and during search the timestamp is from _time, and I would like to have it with milliseconds.

Jakub_2-1628080861202.png

 

I am using KV_MODE in Search cluster props.conf.

 

[k8s:dev]
KV_MODE = json

 

 

and I am trying to do changes in HF props.conf , like TIME_FIELDS, TIME_PREFIX, TIME_FORMAT, but none of them work. INDEXED_EXCTRACTION is turned OFF in HF props.conf

HF props.conf

 

[k8s:dev]
#temporary removed to fix https://jira/browse/DEVA-61153
#INDEXED_EXTRACTIONS = JSON
#TIME_PREFIX = {\\"@timestamp\\":\\"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N
TIMESTAMP_FIELDS = @timestamp
TRUNCATE = 200000
TRANSFORMS-discard_events = setnull_whitespace_indented,setnull_debug_logging
SEDCMD-RemoveLogProp = s/("log":)(.*)(?="stream":)//

 

this is log, which is coming into the Splunk by HEC.

 

{"log":"{\"@timestamp\":\"2021-08-03T09:00:57.539+02:00\",\"@version\":\"1\",\"message\":

 

 

My question is:

Do changes like TIME_FIELDS, TIME_PREFIX, TIME_FORMAT in HF have effect on this process when INDEXED_EXCTRACTION is not in use?

 

Thank you very much for your answers.

Labels (3)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎08-04-2021 08:45 AM

@Jakub 

Can you please try this?

 

[k8s:dev]
[m_json_data_log_1]
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 29
NO_BINARY_CHECK = true
SEDCMD-a = s/\{\"log\":\"//g
SEDCMD-b = s/\"\}$//g
SEDCMD-c = s/\\"/"/g
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N
TIME_PREFIX = {\"log\":\"{\\"@timestamp\\":\\"
TRUNCATE = 200000

 

 

My Sample Event :

 

{"log":"{\"@timestamp\":\"2021-08-03T09:00:57.539+02:00\",\"@version\":\"1\",\"message\":\"\"}"}

 

 

You can update the SEDCMD Configuration as per your actual event.

 

Screenshot 2021-08-04 at 9.15.21 PM.png

KV

 

0 Karma
Reply

Jakub
Explorer
‎08-05-2021 01:32 AM

Hi @kamlesh_vaghela ,

 

thank you so much for your answer. But it does not work. I was thinking if it can't be below issue/solution. (I am collecting it via HTTP Event Collector)

Solved: HEC: How to set _time on base of a specific JSON f... - Splunk Community

 

But my SEDCMD works correctly and I was able to remove "log": property from events, hence the props.conf in HF has to work correctly and its not case of the "event" end point of HEC.

Also SEDCMD is only thing which works. 

 

SEDCMD-RemoveLogProp = s/("log":)(.*)(?="stream":)//

 

 

Could it be that INDEXED_EXCTRACTION is OFF and KV_MODE is ON in search?

Thank you very much.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...