I have the issue that the TIMESTAMP_FIELDS setting in the props.conf on the Universal Forwarder is not taken into account. It seems like the field _time is filled in with the time the line is being indexed and not take from the log line itself.
Splunk Enterprise:
VERSION=6.6.3
BUILD=e21ee54bc796
PRODUCT=splunk
PLATFORM=Linux-x86_64
Splunk Universal Forwarder:
VERSION=6.6.3
BUILD=e21ee54bc796
PRODUCT=splunk
PLATFORM=Linux-x86_64
Log line example:
{"Application":"CNIP","CallStatus":"OK","CallType":"TERM-RP","Called":"xxxxxxxxx","Calling":"xxxxxxxxx","Clir":"false","DelayTime":"161","Error":"","ErrorBy":"","ErrorSeverity":"","Name":"xxxxxxxxx","NameBy":"DisDB","OverwriteCli":"","Protocol":"SIPPROXY","SessionId":"xxxxxxxxx","StartTime":"2018-06-20T08:36:00Z","StopTime":"2018-06-20T08:36:00Z","logLevel":1}
How it is seen on Splunk:
As you can see, the times are not taken from the "StartTime" field in the logline.
Here the config on the Forwarder:
inputs.conf
[monitor:///locationOnServer/LogFile]
index=csdp_prod_services
source=CNIPService
sourcetype=CnipCallLog.log
ignoreOlderThan=1d
props.conf
[CNIPService]
SHOULD_LINEMERGE=false
INDEXED_EXTRACTIONS=json
KV_MODE=none
category=Structured
disabled=false
TIMESTAMP_FIELDS=StartTime
TZ = UTC #I tried with and without this field, same behavior
TIME_FORMAT=%FT%TZ #I tried with and without this field, same behavior
What am I missing here to make this work? I want the _time field to be filled in based on the "StartTime" field in the log lines.
... View more