Hi, I have the following json which I put in through HEC: {
"message": {
"metadata": {
"id": "https://...",
"uri": "https://...",
"type": "com...."
},
"messageGuid": "AF8aCGJx-9ZI-JGyvFTGoSufbXlA",
"correlationId": "AF8aCGI8ISFZGiG8eh9NAegmK2q5",
"logStart": "2020-07-23T22:00:02.4",
"logEnd": "2020-07-23T22:00:10.866",
"integrationFlowName": "Sample_Flow",
"status": "DONE",
"alternateWebLink": "https://...",
"logLevel": "INFO",
"customStatus": "DONE",
"transactionId": "afdfb636cbce4dd0b537b6623954a490"
}
} I log it with the splunk logging library (appender is com.splunk.logging.HttpEventCollectorLogbackAppender) with a defined sourcetype. The _time attribute of the event in Splunk I need to set with the value of the json field "logStart". For this purpose I have the following settings in the sourcetype: I hoped, that Splunk will set the _time value on base of the settings TIMESTAMP_FIELDS and TIME_FORMAT. As result I get the following json in Splunk: {
"severity": "INFO",
"logger": "SplunkLogger",
"time": "1595593644.384",
"thread": "http-nio-8080-exec-1",
"message": {
"metadata": {
"id": "https://...",
"uri": "https://...",
"type": "com...."
},
"messageGuid": "AF8aCGJx-9ZI-JGyvFTGoSufbXlA",
"correlationId": "AF8aCGI8ISFZGiG8eh9NAegmK2q5",
"logStart": "2020-07-23T22:00:02.4",
"logEnd": "2020-07-23T22:00:10.866",
"integrationFlowName": "Sample_Flow",
"status": "DONE",
"alternateWebLink": "https://...",
"logLevel": "INFO",
"customStatus": "DONE",
"transactionId": "afdfb636cbce4dd0b537b6623954a490"
}
} And the _time value has been setted on base of the epoch time, that was generated via the splunk appender (current log time). I didn't find any possibility to influence the generation of the "time" field in the splunk logging library: https://github.com/splunk/splunk-library-javalogging How can I let Splunk set the _time value on base of the specific json field "logStart"? Thanks a lot Best regards
... View more