I am using a HEC and configured a custom source type that sets _time based on a field in the JSON data and when using the "add data" sample data, it works great. _time gets updated, however, when ac...
See more...
I am using a HEC and configured a custom source type that sets _time based on a field in the JSON data and when using the "add data" sample data, it works great. _time gets updated, however, when actually sending data to the HEC, _time stays at indexed time (not the _time based on the data).
To give the concrete example, in the JSON i have this line: "timestampStr": "2022-06-03 19:38:19.736995059",
And built this sourcetype:
[_j_son_logan_test] DATETIME_CONFIG = LINE_BREAKER = \}()\{ NO_BINARY_CHECK = true category = Custom pulldown_type = 1 disabled = false BREAK_ONLY_BEFORE_DATE = SHOULD_LINEMERGE = false TIME_PREFIX = \"timestampStr\": \" TIME_FORMAT = KV_MODE = json INDEXED_EXTRACTIONS = json And when using the Settings --> Add Data option, and selecting that Source Type, _time shows as 2022-06-03 19:38:19.736995059 However, when I sent that json blob via curl to the HEC (which is set to a particular index and to use that sourcetype), the _time value shows the time it was index (i.e. right now (2022-06-24)). In looking at the data itself, (index="my_index"), the sourcetype column shows _j_son_logan_test
Not sure what to check next, but open to thoughts and thank you!