Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why do I have a different result using curl or data input?

Clovisa
Path Finder
‎04-06-2018 01:34 AM

Hi,

I noticed something strange. When I upload the following JSON by the Splunk Web interface, using he json_sales sourcetype described below, the "Date" field is set as timestamp (which is what I want).
But when I try to push the same JSON line via HTTP event collector, the timestamp that is set is the indexation time. Where does it come from? How can I set the "Date" field as a timestamp while using HTTP? Thank you!

 JSON

    {"Date":"2018-02-26","Id commande":"L4512XXX","Type":"A","Quantité vendue":"1000","Support de vente":"Livre","Code pays":"FR","Référence":"REFXXX"}

props.conf

[json_sales]
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = Date
TIME_FORMAT = %Y-%m-%d
category = Structured
disabled = false
pulldown_type = true

cURL

curl -k  http://splunk:8088/services/collector -H "Authorization: Splunk 1c0afd4d-d882-4a2c-9fc2-0f428216XXXX" -d '{"sourcetype": "json_sales", "event": {"Date":"2018-02-26","Id commande":"L4512XXX","Type":"A","Quantité vendue":"1000","Support de vente":"Livre","Code pays":"FR","Référence":"REFXXX"}}'

inputs.conf in splunk_httpinput/local

[http://Vente]
disabled = 0
index = sales
token = 1c0afd4d-d882-4a2c-9fc2-0f428216XXXX
sourcetype = json_sales
0 Karma
Reply

p_gurav
Champion
‎04-06-2018 02:10 AM

Is your props.conf file in splunk_httpinput/local path?

0 Karma
Reply

Clovisa
Path Finder
‎04-06-2018 03:02 AM

It wasn't initially, I just moved it and tried but I still don't have the right timestamp

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...
Top