I am trying to set _time from a given stanza that occurs after the sourcetype stanza is forced. I am using a generic or catch-all sourcetype stanza initially to receive data from the HTTP event collector and then force the events to their appropriate sourcetype from transforms. This sourcetype forcing works perfectly and assigns to the correct source type 2, 3, 4 below, as expected.
Now, I want to be able to set the _time to the value that comes from the time_prefix that is defined within each forced stanza, but this is not working. The _time is always being set to any time_prefix in the first stanza ( sourcetype_1 ), or if I don't specify a time_prefix in the first stanza, Splunk will still assign a _time based on the default time rules.
Is there any way to have the _time set within each forced sourcetype stanza, or will it only be able to work form the first stanza at index time? I could probably create my own datetime.xml, but I was hoping to use the forcing of the sourcetype and have the _time value set within each forced sourcetype stanza. Below is an example:
[sourcetype_1 catch all]
Do not assign _time here
Force sourcetypes 2-4 and have _time assigned in those stanza's
Want _time set here based on time_prefix.
Want _time set here based on time_prefix.
Want _time set here based on time_prefix
... View more