Hi All,
My query is if we put indexed_time=json in props.conf at HF where we are ingesting events via HEC input. And put KV_mode=none in props.conf on SH. Will it extract any custom field during SH or not?
Thanks in Advance
Yes. You'd either set INDEXED_EXTRACTION =JSON (assuming this what you were referring to) on originating Splunk instance (UF OR HF where data is collected) OR setup KV_MODE = json on Search Head to extract JSON fields.
The first method will create indexed time field extraction (takes more space but has other benefit such as faster searching, use of tstats etc) while 2nd method creates search time field extraction.
Thanks Guys, yes that is typo I am talking about indexed_extraction=json. @somesoni2 @PickleRick @@I am deali with _time field extraction issue. Currently I am ingesting microsoft defender logs on HEC input via event hub. And I am collecting them at /collector/event HEC endpoint. I am using splunkbase TA but it seems like events are not extracting _time as per TA it is taking from event hub. Not sure how to force splunk to use TA regex for timestamp. Splunk support suggest to put indexed_extraticon=json on HF but as you mentioned then it will impact my custom field extraction which I did on SH. Please advise.
If you're sending to the event collector without the ?auto_extract_timestamp=true parameter, splunk skips parsing time completely. You have to explicitly provide time field with the event.
Many Thanks @PickleRick @ Can you please share any doco to tell me how can I explicitly provide timestamp and where can I see whether we set auto_extract_timestamp=true or not.
Other thing is event hub is adding his time stamp in the event as well we are getting 2 time field one with time (added by event hub) and other with name timestamp(correct time stamp with event). Thanks
The auto_extract_timestamp is an option you have to provide explicitly. So if you're sending to https://your.server:8088/services/collector/event (without the ?auto... part in the) you don't have it set. Question is if you're sending to the /event endpoint or the /raw one.
yes we are getting /services/collector/event endpoint and I think this is happening (please see screenshot) in our case as eventhub is putting time field in the event envelop and Splunk is extracting it. It is not extracting the time coming in the events
Exactly. If the time field is explicitly defined with the event (not _in_ the event, but with the event), it's used and the time is not parsed at all from the event itself.
I use it quite a lot myself when pushing syslog events via HEC.
@PickleRick So in this case we can extract the time from the event by using indexed_extraction=json with TimePrefix and TimeFormat at HF right?
No. If the event metadata already contains a field called "time", the time extraction will not be performed after receiving the event from HEC even if you're using the auto_extract_timestamp option.
So if you have the opportunity, make sure that the "time" field in the event's "envelope" is set to a proper value.
Other than that you could try to do some explicit index-time extractions and ingest-time evals to overwrite the initial _time field but that's a very ugly solution. And it has nothing to do with splunk's internal time extraction.
But you have to remember that _time field must be set for an event (either provided explicitly with the event (when ingested from HEC input), extracted from the event at index time or - if extraction is not possible - set to the moment of ingestion). And _time field is always indexed.
There is no option called INDEXED_TIME in props.conf 🙂 I think you meant INDEXED_EXTRACTIONS. And you don't need to set it to anything since by default it's not set.
If you set KV_MODE to none, splunk will not perform any automatic KV extractions. It's explicitly stated in the docs:
KV_MODE = [none|auto|auto_escaped|multi|json|xml] * Used for search-time field extractions only. * Specifies the field/value extraction mode for the data. * Set KV_MODE to one of the following: * none: if you want no field/value extraction to take place. * auto: extracts field/value pairs separated by equal signs. * auto_escaped: extracts fields/value pairs separated by equal signs and honors \" and \\ as escaped sequences within quoted values, e.g field="value with \"nested\" quotes" * multi: invokes the multikv search command to expand a tabular event into multiple events. * xml : automatically extracts fields from XML data. * json: automatically extracts fields from JSON data. * Setting to 'none' can ensure that one or more user-created regexes are not overridden by automatic field/value extraction for a particular host, source, or source type, and also increases search performance. * The 'xml' and 'json' modes do not extract any fields when used on data that isn't of the correct format (JSON or XML). * Default: auto