Getting Data In

props.conf stanza not applying

gml1980
New Member

Hello.

I've got a problem with timestamp extraction. I can get it working on V8.0+ Splunk, but it fails on Splunk V7.2. I'll explain my set up then the problem.

Configuration

inputs.conf

There are multiple source types from a single source. We set sourcetype to changeme then override it later with a transform.

[tcp://20000]
index=product_analytics
sourcetype=changeme
connection_host=none
host=change_me
source=Single_Source

props.conf

Anything from the above source has three transforms applied to it. Note that each source type has a different TIME_FORMAT requirement. We set a default against the source, then override the parameters in the source type.

[source::Single_Source]
SHOULD_LINEMERGE = false
LINE_BREAKER = (\r\r)
TRANSFORMS-Single_Source= json_override_sourcetype,json_override_host,json_strip_indexing_data

TIME_PREFIX = ("|<)t("|>):*

[Source_Product_One]
KV_MODE = json
TIME_FORMAT = %s%3N

[Source_Product_Two]
KV_MODE = xml

transforms.conf

The source type is defined in the incoming JSON data by an "st" variable. We know the transforms work as the indexed data has the source type set to the expected value (same for host set by the second transform and the stripping of data by the third transform).

 [json_override_sourcetype]
 DEST_KEY=MetaData:Sourcetype
 REGEX = "st":"([^"]*)
 FORMAT = sourcetype::$1

 [json_override_host]
 DEST_KEY=MetaData:Host
 REGEX = "h":"([^"]*)
 FORMAT = host::$1

 [json_strip_indexing_data]
 DEST_KEY=_raw
 REGEX = ^.*"h":"[^"]*",(.*)$
 FORMAT = {$1

Problem

On Splunk 7.2 any events with "Source_Product_One"  source type fail to have their timestamps correctly extracted (it uses the received event time, not the contents of the "t" field in the incoming data). Events with a source type of "Source_Product_Two" are correctly extracted .

On Splunk 8.0 this works. Events with either "Source_Product_One" or "Source_Product_Two" source types have the timestamps correctly extracted. 

On Splunk 7.2, if I move the TIME_FORMAT parameters to the source stanza - out from the source type stanzas - then timestamp extraction works, but this breaks the time extraction for all other source types. See this example:

[source::Single_Source]
SHOULD_LINEMERGE = false
LINE_BREAKER = (\r\r)
TRANSFORMS-Single_Source= json_override_sourcetype,json_override_host,json_strip_indexing_data
TIME_FORMAT = %s%3N

TIME_PREFIX = ("|<)t("|>):*

[Source_Product_One]
KV_MODE = json

[Source_Product_Two]
KV_MODE = xml

This works - Source_Product_One source types now have timestamps extracted, but Source_Product_Two source type events no longer have timestamps extracted.

I've also tried this - and it didn't work either - timestamp extraction continued to fail.

[source::Single_Source]
SHOULD_LINEMERGE = false
LINE_BREAKER = (\r\r)
TRANSFORMS-Single_Source= json_override_sourcetype,json_override_host,json_strip_indexing_data

TIME_PREFIX = ("|<)t("|>):*

[Source_Product_One]
KV_MODE = json

TIME_FORMAT = %s%3N

[Source_Product_Two]

TIME_FORMAT = %a %b %d %H:%M:%S %Z%:z %Y

Each source type has a different TIME_FORMAT requirement - so I'd like to fix it so both are correctly applied. Any suggestion on how to do this please? Or advice on debugging.

Thanks for your time.

 
 
 
 
 
 
Labels (2)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...