Why do I have a different result using curl or dat...

Clovisa · ‎04-06-2018

Hi,

I noticed something strange. When I upload the following JSON by the Splunk Web interface, using he json_sales sourcetype described below, the "Date" field is set as timestamp (which is what I want).
But when I try to push the same JSON line via HTTP event collector, the timestamp that is set is the indexation time. Where does it come from? How can I set the "Date" field as a timestamp while using HTTP? Thank you!

 JSON

    {"Date":"2018-02-26","Id commande":"L4512XXX","Type":"A","Quantité vendue":"1000","Support de vente":"Livre","Code pays":"FR","Référence":"REFXXX"}

props.conf

[json_sales]
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = Date
TIME_FORMAT = %Y-%m-%d
category = Structured
disabled = false
pulldown_type = true

cURL

curl -k  http://splunk:8088/services/collector -H "Authorization: Splunk 1c0afd4d-d882-4a2c-9fc2-0f428216XXXX" -d '{"sourcetype": "json_sales", "event": {"Date":"2018-02-26","Id commande":"L4512XXX","Type":"A","Quantité vendue":"1000","Support de vente":"Livre","Code pays":"FR","Référence":"REFXXX"}}'

inputs.conf in splunk_httpinput/local

[http://Vente]
disabled = 0
index = sales
token = 1c0afd4d-d882-4a2c-9fc2-0f428216XXXX
sourcetype = json_sales

p_gurav · ‎04-06-2018

Is your props.conf file in splunk_httpinput/local path?

Clovisa · ‎04-06-2018

It wasn't initially, I just moved it and tried but I still don't have the right timestamp

Why do I have a different result using curl or data input?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!