We used the rest receivers simple api to send a body with some fields to index as a urlencoded form.
Among these there is a field time field containing a timestamp. We configure the sourcetype as in figure
The problem is that Splunk is indexing when it receives the data ( as if datetime was CURRENT or it found no fields with time information) .
An example of the data is
name=session_started¶ms=%7B%22request_id%22%3A+%220af2918a-0125-4573-9a27-bd1a6deef75d%22%2C+%22subject%22%3A+%22mmt-112%22%7D&time=2021-09-16T09%3A24%3A08.355865
we thought that the encoded data could be a problem so we changed the format of the body sent to splunk to json
{"name": "session_started", "params": "{\"request_id\": \"0af2918a-0125-4573-9a27-bd1a6deef75d\", \"subject\": \"mmt-112\"}", "time": "2021-09-16T09:24:08.355865"}
but the _time was again the time of recevieng.
We tried several tweaks but none of them had success:
Any suggestion? What to do? What to try?
A big thanks to the Splunk gurus that will help us!
I used your event string as a test:
{"name": "session_started", "params": "{\"request_id\": \"0af2918a-0125-4573-9a27-bd1a6deef75d\", \"subject\": \"mmt-112\"}", "time": "2021-09-16T09:24:08.355865"}
When I tried
Timestamp Format %Y-%m-%dT%H:%M:%3
with
Timestamp Prefix time":\s"
it already parsed the correct date and time in splunk
it works! thanks
I used your event string as a test:
{"name": "session_started", "params": "{\"request_id\": \"0af2918a-0125-4573-9a27-bd1a6deef75d\", \"subject\": \"mmt-112\"}", "time": "2021-09-16T09:24:08.355865"}
When I tried
Timestamp Format %Y-%m-%dT%H:%M:%3
with
Timestamp Prefix time":\s"
it already parsed the correct date and time in splunk