Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- TIMESTAMP_FIELDS for different sources and timesta...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello guys,
TIMESTAMP_FIELDS must be setup in props.conf on indexers side, therefore how to use TIMESTAMP_FIELDS for different sources and timestamps using same sourcetype _json? Must we define sub-sourcetypes? Is it possible and how?
First source :
[_json]
TIMESTAMP_FIELDS = @timestamp
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z
Second source :
[_json]
TIMESTAMP_FIELDS = @start
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
When you start splunk, splunk merges all stanza and parameters from same type of configuration file defined in various apps and system/default & system/local . When you define same parameter for same sourcetype in same configuration file (Here in your case props.conf) then precedence order will come into picture. Have a look at https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Wheretofindtheconfigurationfiles
The way you want to achieve might not possible using sourcetype but if you have different source for both the data then you can use below configuration
props.conf
[source::yourSource1]
TIMESTAMP_FIELDS = @timestamp
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z
[source::yourSource2]
TIMESTAMP_FIELDS = @start
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z
OR you can try below config, if you want to use sourcetype but I'll not suggest to modify default sourcetype which ships with Splunk installation. Best practice is to create your own sourcetype.
props.conf
[yourSourcetype]
TIMESTAMP_FIELDS = @timestamp,@start
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works, thanks :
UF
props.conf
[metrics_json]
TIMESTAMP_FIELDS = start
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z
INDEXED_EXTRACTIONS = json
inputs.conf
[monitor:///VAR/logs/metrics.log]
blacklist = archives
disabled = false
index = ppr_app
sourcetype = metrics_json
IDX
props.conf
[metrics_json]
TIMESTAMP_FIELDS = start
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z
SH
props.conf
[metrics_json]
KV_MODE = json
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
When you start splunk, splunk merges all stanza and parameters from same type of configuration file defined in various apps and system/default & system/local . When you define same parameter for same sourcetype in same configuration file (Here in your case props.conf) then precedence order will come into picture. Have a look at https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Wheretofindtheconfigurationfiles
The way you want to achieve might not possible using sourcetype but if you have different source for both the data then you can use below configuration
props.conf
[source::yourSource1]
TIMESTAMP_FIELDS = @timestamp
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z
[source::yourSource2]
TIMESTAMP_FIELDS = @start
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z
OR you can try below config, if you want to use sourcetype but I'll not suggest to modify default sourcetype which ships with Splunk installation. Best practice is to create your own sourcetype.
props.conf
[yourSourcetype]
TIMESTAMP_FIELDS = @timestamp,@start
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
