@PickleRick I already tried and added attribute under props  but this also not working.

 "TIMESTAMP_FIELDS = time" and added KV_MODE=json 

Wait, but if your local timezone is EST and your profile is configured with EST, that's actually the proper timestamp.

The source is reporting 14:15 UTC so it's 9:15 EST

@ITWhisperer  That timezone difference I can exclude by using TZ setting attribute in props. But I am having another issue with nano seconds.

Other issue is the nano second issue.

I have lost count of the number of times we have suggested (requested) that event data is show in raw format (preferably in a code block using the </> button). Splunk will be processing the raw data, not the formatted, "pretty" version you have shown us. In light of this, is your actual raw event data a JSON object, and therefore wouldn't the TIME_PREFIX be more like "time":" (perhaps with some spaces \s)?

@ITWhisperer  Thanks for information. 

Yes, My actual data is in the json format. Could you please suggest what I need to do with props so the events can parse properly with timestamp filed of the events.

Your data is JSON, but you are showing a screenshot of Splunk presenting that data to you in a formatted way. Please click the show as raw text and show what time looks like in the RWA data, not the pretty-printed version.

Hi @bowesmana  raw text is look like as below.

{"traceid":"00000000000000000033000000000000","spanid":"0000000000000000","datacontenttype":"application/json","data":{"retentionMinutes":43200,"batchSize":1000,"windowDurationSeconds":600},"messages":[],"specversion":"1.0","classofpayload":"com.vl.decanter.decanter.generici.domain.command.PurgeCommand","id":"ccbae519-foa4-4c0c-ad75-261720d764e5","source":"decanter-scheduler","time":"2024-11-19T09:30:00.058376Z","type":"PurgeEventOutbox"}

@bowesmana Thanks for the solution and investing your valuable time.  But still micro seconds are not matching. 

Splunk will only ever show milliseconds for the _time field, but if you do

...
| head 5
| eval actual_time_value=_time
| table _time actual_time_value

You can see the time field as it is stored as a number

This does not show evidence of the microseconds not matching. The Time field is merely displayed to millseconds not microseconds.

According to the docs the MAX_TIMESTAMP_LOOKAHEAD is applied _from_ the TIME_PREFIX-defined location.

@ITWhisperer On EST time the server is .

@bowesmana I have tried below settings but nothings works for me. Is there any workaround I need to apply.

CHARSET = UTF-8
#AUTO_KV_JSON = false
DATETIME_CONFIG =
#INDEXED_EXTRACTIONS = json
KV_MODE = json
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
MAX_TIMESTAMP_LOOKAHEAD = 550
TIME_PREFIX = time:\s+
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%Z
category = Custom
pulldown_type = true


Example Pattern of event :

{ [-]
classofpayload: com.v.decanter.deca.generic.domain.command.PurgeCommand
data: { [-]
batchSize: 1000
retentionMinutes: 43200
windowDurationSeconds: 600
}
datacontenttype: application/json
id: 32e31ec6-2362-4b46-966e-ec4bdbb3llbe
messages: [ [-]
]
source: decanter-scheduler
spanid: 0000000000000000
specversion: 1.0
time: 2024-11-18T04:15:00.057785Z
traceid: 00000000000000000000000000000000
type: PurgeEventOutbox
}

So the time is out by exactly 5 hours which represents your timezone, therefore it is correct. Are there any other discrepancies apart from this (which is now accounted for)?

@richgalloway 

1. Props is  installed on search app

2. The setting is on Indexer itself and I am using below endpoint.

3. Endpoint is : services/collector/raw

4. I will try and add %Z in my current props.

Thanks

1)  OK, but search is Splunk's app.  Your settings should be in your own app.

2) Is the HEC endpoint on the indexer?  If not, the props are doing anything.  Make sure the props are on the same instance as HEC.

4) As Yoda would say, "do or do not, there is no try"