Getting Data In

Why is the TIMESTAMP_FIELDS setting in props.conf, on the Universal Forwarder, not taken into account?

Path Finder

I have the issue that the TIMESTAMP_FIELDS setting in the props.conf on the Universal Forwarder is not taken into account. It seems like the field _time is filled in with the time the line is being indexed and not take from the log line itself.

Splunk Enterprise:

VERSION=6.6.3
BUILD=e21ee54bc796
PRODUCT=splunk
PLATFORM=Linux-x86_64

Splunk Universal Forwarder:

VERSION=6.6.3
BUILD=e21ee54bc796
PRODUCT=splunk
PLATFORM=Linux-x86_64

Log line example:

{"Application":"CNIP","CallStatus":"OK","CallType":"TERM-RP","Called":"xxxxxxxxx","Calling":"xxxxxxxxx","Clir":"false","DelayTime":"161","Error":"","ErrorBy":"","ErrorSeverity":"","Name":"xxxxxxxxx","NameBy":"DisDB","OverwriteCli":"","Protocol":"SIPPROXY","SessionId":"xxxxxxxxx","StartTime":"2018-06-20T08:36:00Z","StopTime":"2018-06-20T08:36:00Z","logLevel":1}

How it is seen on Splunk:
alt text

As you can see, the times are not taken from the "StartTime" field in the logline.
Here the config on the Forwarder:
inputs.conf

[monitor:///locationOnServer/LogFile]
index=csdp_prod_services
source=CNIPService
sourcetype=CnipCallLog.log
ignoreOlderThan=1d

props.conf

[CNIPService]
SHOULD_LINEMERGE=false
INDEXED_EXTRACTIONS=json
KV_MODE=none
category=Structured
disabled=false
TIMESTAMP_FIELDS=StartTime
TZ = UTC #I tried with and without this field, same behavior
TIME_FORMAT=%FT%TZ #I tried with and without this field, same behavior

What am I missing here to make this work? I want the _time field to be filled in based on the "StartTime" field in the log lines.

0 Karma
1 Solution

Path Finder

Problem is solved.
What I did was a combination of the answers above.

I added the following to the props.conf on the indexer (so not the UF):

TIME_PREFIX = StartTime\": 
TIME_FORMAT=%FT%TZ

TIME_PREFIX: The \" after the field name (as proposed above) was not needed, this caused the indexer to stop accepting new events on this input.)
After applying these changes, it worked perfectly!

Thank you all for the help!

View solution in original post

0 Karma

Path Finder

Problem is solved.
What I did was a combination of the answers above.

I added the following to the props.conf on the indexer (so not the UF):

TIME_PREFIX = StartTime\": 
TIME_FORMAT=%FT%TZ

TIME_PREFIX: The \" after the field name (as proposed above) was not needed, this caused the indexer to stop accepting new events on this input.)
After applying these changes, it worked perfectly!

Thank you all for the help!

View solution in original post

0 Karma

Ultra Champion

Shouldn't that props.conf go on your indexer instead of the UF?

0 Karma

Path Finder

When I add the following config to the indexer instead of the UF:
TIME_PREFIX = StartTime:
TIME_FORMAT=%FT%TZ

--> same behavior so not working.

When I add the following config to the indexer instead of the UF:
TIME_PREFIX = StartTime\":\"
TIME_FORMAT=%FT%TZ

--> nothing is being indexed anymore for this input.

0 Karma

Champion

Can you try TIME_PREFIX = StartTime: instead of TIMESTAMP_FIELDS?

0 Karma

SplunkTrust
SplunkTrust

It should be TIME_PREFIX = StartTime\":\"

0 Karma

Path Finder

That is also not working.
just now, I did notice that if I change the language (change en-Us to en-GB in the url), the display of the timestamp is not changing on Splunk. So could this be a clue? Splunk seems not to recognize the timestamp format.
On other log we have (with different timestamp formats) we do see the display of the timestamp changing when changing the language of the web GUI.

0 Karma

Path Finder

This proposal has the same behavior. So it is still not working.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!