Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to consider "time" as "_time" on logstash config?

indeed_2000
Motivator
‎06-14-2023 01:06 AM

Hi

I have logstash config that send logs to Splunk HEC.

these data contain field that call "time".

Now question is: Is it possible to consider "time" as "_time" on logstash config?

 

FYI: i want to consider this time as _time not the time that splunk receive it

 

Any idea?

Thanks

Labels (1)
Labels
Tags (3)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-14-2023 01:21 AM

Hi

There are ways to do it. I point to another answers where it has solved:

There are several other post covering this. Main point is use raw endpoint or set time field on json's "header" part outside of actual payload.

r. Ismo

0 Karma
Reply

indeed_2000
Motivator
‎06-14-2023 01:42 AM

@isoutamois it possible to fix it in logstash ? instead in splunk?

how splunk decide what is the "_time"? always consider as receive time?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-14-2023 02:04 AM

As you send it via HEC you must told to splunk which field you want to use as _time otherwise it's used it's own heuristic to try to guess the correct time.

Here is described how this is happening https://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps

 

0 Karma
Reply

indeed_2000
Motivator
‎06-14-2023 06:49 AM

As splunk can guess timestamp is it possible to send data from logstash in somehow that splunk consider e.g field that in json format called “time” consider as _time?

without change splunk settings?

 

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-14-2023 01:21 PM
You should read those above links. Those describe how it should do.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...