Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk JSON timestamp in KV_MODE

Jakub
Explorer
‎08-04-2021 05:51 AM

Hi All,

I have Event timestamp with miliseconds:

Jakub_0-1628080741810.png

_time with Unix epoch seconds:

Jakub_1-1628080790910.png

and during search the timestamp is from _time, and I would like to have it with milliseconds.

Jakub_2-1628080861202.png

 

I am using KV_MODE in Search cluster props.conf.

 

[k8s:dev]
KV_MODE = json

 

 

and I am trying to do changes in HF props.conf , like TIME_FIELDS, TIME_PREFIX, TIME_FORMAT, but none of them work. INDEXED_EXCTRACTION is turned OFF in HF props.conf

HF props.conf

 

[k8s:dev]
#temporary removed to fix https://jira/browse/DEVA-61153
#INDEXED_EXTRACTIONS = JSON
#TIME_PREFIX = {\\"@timestamp\\":\\"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N
TIMESTAMP_FIELDS = @timestamp
TRUNCATE = 200000
TRANSFORMS-discard_events = setnull_whitespace_indented,setnull_debug_logging
SEDCMD-RemoveLogProp = s/("log":)(.*)(?="stream":)//

 

this is log, which is coming into the Splunk by HEC.

 

{"log":"{\"@timestamp\":\"2021-08-03T09:00:57.539+02:00\",\"@version\":\"1\",\"message\":

 

 

My question is:

Do changes like TIME_FIELDS, TIME_PREFIX, TIME_FORMAT in HF have effect on this process when INDEXED_EXCTRACTION is not in use?

 

Thank you very much for your answers.

Labels (3)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎08-04-2021 08:45 AM

@Jakub 

Can you please try this?

 

[k8s:dev]
[m_json_data_log_1]
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 29
NO_BINARY_CHECK = true
SEDCMD-a = s/\{\"log\":\"//g
SEDCMD-b = s/\"\}$//g
SEDCMD-c = s/\\"/"/g
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N
TIME_PREFIX = {\"log\":\"{\\"@timestamp\\":\\"
TRUNCATE = 200000

 

 

My Sample Event :

 

{"log":"{\"@timestamp\":\"2021-08-03T09:00:57.539+02:00\",\"@version\":\"1\",\"message\":\"\"}"}

 

 

You can update the SEDCMD Configuration as per your actual event.

 

Screenshot 2021-08-04 at 9.15.21 PM.png

KV

 

0 Karma
Reply

Jakub
Explorer
‎08-05-2021 01:32 AM

Hi @kamlesh_vaghela ,

 

thank you so much for your answer. But it does not work. I was thinking if it can't be below issue/solution. (I am collecting it via HTTP Event Collector)

Solved: HEC: How to set _time on base of a specific JSON f... - Splunk Community

 

But my SEDCMD works correctly and I was able to remove "log": property from events, hence the props.conf in HF has to work correctly and its not case of the "event" end point of HEC.

Also SEDCMD is only thing which works. 

 

SEDCMD-RemoveLogProp = s/("log":)(.*)(?="stream":)//

 

 

Could it be that INDEXED_EXCTRACTION is OFF and KV_MODE is ON in search?

Thank you very much.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...