×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mmaaxx
Explorer
Member since: ‎03-03-2025
‎07-09-2025
Community Statistics
Posts 4
Solutions 0
Karma Given 2
Karma Received 1
Member Since ‎03-03-2025
Activity Feed
View All

Re: Sourcetype for JSON data fails to extract the ...

by in Getting Data In
‎07-09-2025 01:51 PM
1 Karma
‎07-09-2025 01:51 PM
1 Karma
Thank you for clarifying how it works!  Sending "time" along with the "event" - fixed the timestamp issue, and setting Indexed Extraction to none - fixed the duplicated fields, as all fields are essentially parsed in the application that feeds the data to the /event endpoint. Thank you! ... View more

Re: Sourcetype for JSON data fails to extract the ...

by in Getting Data In
‎07-09-2025 12:58 PM
‎07-09-2025 12:58 PM
Thank you for the suggestion! I tried "%Y-%m-%dT%H:%M:%S%:z" - same results (seems like timestamp extraction is ignored 😞  ).  I also validated my time format in PHP and Python strptime("2025-07-09T15:50:20+00:00", "%Y-%m-%dT%H:%M:%S%z") - it seems to work.    Yes, I do send to /event.  When I tried sending to /raw I get this (seems like it considers the RAW HTTP request data as "data"): It doesn't seem to be related to parsing.  ... View more

Re: Sourcetype for JSON data fails to extract the ...

by in Getting Data In
‎07-09-2025 11:57 AM
‎07-09-2025 11:57 AM
Here is a screenshot of the source type:   ... View more

Sourcetype for JSON data fails to extract the time...

by in Getting Data In
‎07-09-2025 11:56 AM
‎07-09-2025 11:56 AM
I feed data to Splunk using the HTTP Event Collector, sample event: { "event":{ "event_id": "58512040", "event_name": "Access Granted", ... "event_local_time_with_offset":"2025-07-09T14:46:28+00:00", }, "sourcetype": "BBL_splunk_pacs" }     I set up datasource type BBL_splunk_pacs (see screenshot below) When I search for the events, I get: I see 2 issues: _time is not parsed correctly from the event_local_time_with_offset.  Most of the time, randomly (?), we get all event fields duplicated, and sometimes they are not duplicated.   Any idea what I may be doing wrong?  Thank you.       ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-09-2025 11:40 AM
Karma from
View All
Karma given to
View All