Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I set _time with collect _raw?

yurykiselev
Path Finder
‎10-05-2018 05:29 AM

Hi!
I have to collect some JSON "as is" - not as key-value pair. How can I set event timestamp in this case?

... | eval _time=strptime(...) | table _time _raw | collect index="..."

... doesn't work: _time is ignored with _raw present and replaced with cirrent time. I could do:

... | eval data = _raw | table _time data | collect ...

, but it generates key-value-event with "data={my_json_from_raw}"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎10-06-2018 12:15 PM

Hi @yurykiselev,
If time is already in the _raw in a format that Splunk can understand easily then you will add addtime=false as a option with collect command and Splunk will automatically extracts time from _raw no need to extract separately.

If not the above scenario then you have to write props.conf for the source-type you are using.

  • If time format is weird then you must have specify time format into TIME_FORMAT. (This may help you in writing that format)

  • If time format is not available within first 128 characters of _raw event then you have to add MAX_TIMESTAMP_LOOKAHEAD.

  • You can also specify TIME_PREFIX. (props.conf may help you in all the configuration writing)

Hope this helps!!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎10-06-2018 12:15 PM

Hi @yurykiselev,
If time is already in the _raw in a format that Splunk can understand easily then you will add addtime=false as a option with collect command and Splunk will automatically extracts time from _raw no need to extract separately.

If not the above scenario then you have to write props.conf for the source-type you are using.

  • If time format is weird then you must have specify time format into TIME_FORMAT. (This may help you in writing that format)

  • If time format is not available within first 128 characters of _raw event then you have to add MAX_TIMESTAMP_LOOKAHEAD.

  • You can also specify TIME_PREFIX. (props.conf may help you in all the configuration writing)

Hope this helps!!

0 Karma
Reply
Solved! Jump to solution

yurykiselev
Path Finder
‎10-08-2018 06:24 AM

Thank you! I added date at begin of data "%Y-%m-%d %H:%M:%S" - it's recignized without any props defineding.

Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎10-08-2018 07:13 AM

Nice!!, This time format is identify by Splunk so good for you.

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...