A problem I have been encountering is trying to set a date field within my json response file as the _time field in my Splunk data upon import. I have read lots of posts on it and found that less is more when it comes to accomplishing this. Adding the following stanza in a props.conf file in the /opt/splunkforwarder/etc/system/local folder accomplished this. As you can see by the path is is on the Splunk Univeral Forwarder.
The json file is created by a python script file that hits an API and returns the data (more on that later). The date field is the second date field in the json string. So Splunk was grabbing the first one and sometimes it was taking the file creation date and time.
After trying several different variations of the stanza the below code finally worked. I hope this helps you!
[source::/data/logs/prod.json]
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N
TIME_PREFIX="lastInformTime": "
MAX_TIMESTAMP_LOOKAHEAD = 24
MAX_DAYS_HENCE = 10
Here are some of the other answers I tried.
How to configure Splunk to set _time to a specific field?
We ended up using the following – base search | eval _time=strptime(eventStartTime,”%Y-%m-%d %H:%M:%S.%N”) Which works perfectly. Is there a way to set it up in the configuration, so eventStartTime is assigned to _time?
How to change the _time to values inside the event data?
I want to make area graphs of data usage on individual servers based on the timestamp given in the event data and not the default _time values. This is an example of an event: 2017-06-29 19:32:57.254, DBNAME=“BRMTPRD”, SNAPDATE=“2017-06-18 03:00:32.0″, TSTYPE=“REDO”, TSNAME=“ONLINEREDOSTBY”, ALLOCAT…
Use default fields – Splunk Documentation
Fields are searchable name-value pairs in event data. When you search, you’re matching search terms against segments of your event data; you can search more precisely by using fields. Fields are extracted from event data at either index time or search time. The fields that are extracted automaticall…
