Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to consider "time" as "_time" on logstash config?

indeed_2000
Motivator
‎06-14-2023 01:06 AM

Hi

I have logstash config that send logs to Splunk HEC.

these data contain field that call "time".

Now question is: Is it possible to consider "time" as "_time" on logstash config?

 

FYI: i want to consider this time as _time not the time that splunk receive it

 

Any idea?

Thanks

Labels (1)
Labels
Tags (3)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-14-2023 01:21 AM

Hi

There are ways to do it. I point to another answers where it has solved:

There are several other post covering this. Main point is use raw endpoint or set time field on json's "header" part outside of actual payload.

r. Ismo

0 Karma
Reply

indeed_2000
Motivator
‎06-14-2023 01:42 AM

@isoutamois it possible to fix it in logstash ? instead in splunk?

how splunk decide what is the "_time"? always consider as receive time?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-14-2023 02:04 AM

As you send it via HEC you must told to splunk which field you want to use as _time otherwise it's used it's own heuristic to try to guess the correct time.

Here is described how this is happening https://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps

 

0 Karma
Reply

indeed_2000
Motivator
‎06-14-2023 06:49 AM

As splunk can guess timestamp is it possible to send data from logstash in somehow that splunk consider e.g field that in json format called “time” consider as _time?

without change splunk settings?

 

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-14-2023 01:21 PM
You should read those above links. Those describe how it should do.
0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...