Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

After adding a custom field in Splunk, why am I getting error "In handler 'oneshotinput': Argument "dateofdata" is not supported by this handler."?

sdaruna
Explorer
‎01-31-2016 09:50 PM

Hi,

I need to add a field which represents the date of the indexed data. I need to fetch the results in a search based on data. So, I tried to add a custom field in Splunk.

I added a new field in fields.conf file as follows. 

[dateofdata]
INDEXED = True
INDEXED_VALUE = False

As I need to index the data using Splunk Java API, I used it as follows.

Service service = new Service("localhost", 8089);
        connect(loginArgs);

        Args eventArgs = new Args();
        eventArgs.put("sourcetype", "whole_file");
        eventArgs.put("host", "local");
        eventArgs.put("dateofdata","20160125");

        IndexCollection myIndexes = service.getIndexes();
        Index index = myIndexes.get("my_index3");

        index.upload(
                "/Users/srini/imp_work/xml_dump/2016-01-16/xml_file_1.xml",
                eventArgs);

I got the following error when I executed it.

Exception in thread "main" com.splunk.HttpException: HTTP 400 -- 
 In handler 'oneshotinput': Argument "dateofdata" is not supported by this handler.
    at com.splunk.HttpException.create(HttpException.java:84)
    at com.splunk.HttpService.send(HttpService.java:452)
    at com.splunk.Service.send(Service.java:1293)
    at com.splunk.HttpService.post(HttpService.java:308)
    at com.splunk.EntityCollection.create(EntityCollection.java:95)
    at com.splunk.Index.upload(Index.java:1131)
    at com.srini.splunk.SplunkExample.main(SplunkExample.java:31)
0 Karma
Reply

stephane_cyrill
Builder
‎02-01-2016 02:10 AM

HI, _indextime might help you.

The _indextimefield contains the time that an event was indexed, expressed in
Unix time. You might use this field to focus on or filter out events that were
indexed within a specific range of time.

0 Karma
Reply

sdaruna
Explorer
‎02-01-2016 07:26 AM

Hi Stephane,

I do not need the exact indexed time. I could index any date data at any time. But, i need to fetch data by date when receiving.

It was same error, if i tried to set _indextime field through program.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...