Re: logstash overwrite _time field

indeed_2000 · ‎06-14-2023

Hi

I have logstash config that send logs to Splunk HEC.

these data contain field that call "time".

Now question is: Is it possible to consider "time" as "_time" on logstash config?

FYI: i want to consider this time as _time not the time that splunk receive it

Any idea?

Thanks

isoutamo · ‎06-14-2023

Hi

There are ways to do it. I point to another answers where it has solved:

There are several other post covering this. Main point is use raw endpoint or set time field on json's "header" part outside of actual payload.

r. Ismo

indeed_2000 · ‎06-14-2023

@isoutamois it possible to fix it in logstash ? instead in splunk?

how splunk decide what is the "_time"? always consider as receive time?

isoutamo · ‎06-14-2023

As you send it via HEC you must told to splunk which field you want to use as _time otherwise it's used it's own heuristic to try to guess the correct time.

Here is described how this is happening https://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps

indeed_2000 · ‎06-14-2023

As splunk can guess timestamp is it possible to send data from logstash in somehow that splunk consider e.g field that in json format called “time” consider as _time?

without change splunk settings?

isoutamo · ‎06-14-2023

You should read those above links. Those describe how it should do.

Is it possible to consider "time" as "_time" on logstash config?

rex

Thanks for the Memories! Splunk University, .conf24, and Community Connections

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...