Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why do I have a different result using curl or data input?

Clovisa
Path Finder
‎04-06-2018 01:34 AM

Hi,

I noticed something strange. When I upload the following JSON by the Splunk Web interface, using he json_sales sourcetype described below, the "Date" field is set as timestamp (which is what I want).
But when I try to push the same JSON line via HTTP event collector, the timestamp that is set is the indexation time. Where does it come from? How can I set the "Date" field as a timestamp while using HTTP? Thank you!

 JSON

    {"Date":"2018-02-26","Id commande":"L4512XXX","Type":"A","Quantité vendue":"1000","Support de vente":"Livre","Code pays":"FR","Référence":"REFXXX"}

props.conf

[json_sales]
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = Date
TIME_FORMAT = %Y-%m-%d
category = Structured
disabled = false
pulldown_type = true

cURL

curl -k  http://splunk:8088/services/collector -H "Authorization: Splunk 1c0afd4d-d882-4a2c-9fc2-0f428216XXXX" -d '{"sourcetype": "json_sales", "event": {"Date":"2018-02-26","Id commande":"L4512XXX","Type":"A","Quantité vendue":"1000","Support de vente":"Livre","Code pays":"FR","Référence":"REFXXX"}}'

inputs.conf in splunk_httpinput/local

[http://Vente]
disabled = 0
index = sales
token = 1c0afd4d-d882-4a2c-9fc2-0f428216XXXX
sourcetype = json_sales
0 Karma
Reply

p_gurav
Champion
‎04-06-2018 02:10 AM

Is your props.conf file in splunk_httpinput/local path?

0 Karma
Reply

Clovisa
Path Finder
‎04-06-2018 03:02 AM

It wasn't initially, I just moved it and tried but I still don't have the right timestamp

0 Karma
Reply
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Get Updates on the Splunk Community!