Solved: Why is the TIMESTAMP_FIELDS setting in props.conf,...

sander_vandamme · ‎06-20-2018

I have the issue that the TIMESTAMP_FIELDS setting in the props.conf on the Universal Forwarder is not taken into account. It seems like the field _time is filled in with the time the line is being indexed and not take from the log line itself.

Splunk Enterprise:

VERSION=6.6.3
BUILD=e21ee54bc796
PRODUCT=splunk
PLATFORM=Linux-x86_64

Splunk Universal Forwarder:

VERSION=6.6.3
BUILD=e21ee54bc796
PRODUCT=splunk
PLATFORM=Linux-x86_64

Log line example:

{"Application":"CNIP","CallStatus":"OK","CallType":"TERM-RP","Called":"xxxxxxxxx","Calling":"xxxxxxxxx","Clir":"false","DelayTime":"161","Error":"","ErrorBy":"","ErrorSeverity":"","Name":"xxxxxxxxx","NameBy":"DisDB","OverwriteCli":"","Protocol":"SIPPROXY","SessionId":"xxxxxxxxx","StartTime":"2018-06-20T08:36:00Z","StopTime":"2018-06-20T08:36:00Z","logLevel":1}

How it is seen on Splunk:

As you can see, the times are not taken from the "StartTime" field in the logline.
Here the config on the Forwarder:
inputs.conf

[monitor:///locationOnServer/LogFile]
index=csdp_prod_services
source=CNIPService
sourcetype=CnipCallLog.log
ignoreOlderThan=1d

props.conf

[CNIPService]
SHOULD_LINEMERGE=false
INDEXED_EXTRACTIONS=json
KV_MODE=none
category=Structured
disabled=false
TIMESTAMP_FIELDS=StartTime
TZ = UTC #I tried with and without this field, same behavior
TIME_FORMAT=%FT%TZ #I tried with and without this field, same behavior

What am I missing here to make this work? I want the _time field to be filled in based on the "StartTime" field in the log lines.

sander_vandamme · ‎06-20-2018

Problem is solved.
What I did was a combination of the answers above.

I added the following to the props.conf on the indexer (so not the UF):

TIME_PREFIX = StartTime\": 
TIME_FORMAT=%FT%TZ

TIME_PREFIX: The \" after the field name (as proposed above) was not needed, this caused the indexer to stop accepting new events on this input.)
After applying these changes, it worked perfectly!

Thank you all for the help!

View solution in original post

sander_vandamme · ‎06-20-2018

Problem is solved.
What I did was a combination of the answers above.

I added the following to the props.conf on the indexer (so not the UF):

TIME_PREFIX = StartTime\": 
TIME_FORMAT=%FT%TZ

TIME_PREFIX: The \" after the field name (as proposed above) was not needed, this caused the indexer to stop accepting new events on this input.)
After applying these changes, it worked perfectly!

Thank you all for the help!

FrankVl · ‎06-20-2018

Shouldn't that props.conf go on your indexer instead of the UF?

sander_vandamme · ‎06-20-2018

When I add the following config to the indexer instead of the UF:
TIME_PREFIX = StartTime:
TIME_FORMAT=%FT%TZ

--> same behavior so not working.

When I add the following config to the indexer instead of the UF:
TIME_PREFIX = StartTime\":\"
TIME_FORMAT=%FT%TZ

--> nothing is being indexed anymore for this input.

p_gurav · ‎06-20-2018

Can you try TIME_PREFIX = StartTime: instead of TIMESTAMP_FIELDS?

mayurr98 · ‎06-20-2018

It should be TIME_PREFIX = StartTime\":\"

sander_vandamme · ‎06-20-2018

That is also not working.
just now, I did notice that if I change the language (change en-Us to en-GB in the url), the display of the timestamp is not changing on Splunk. So could this be a clue? Splunk seems not to recognize the timestamp format.
On other log we have (with different timestamp formats) we do see the display of the timestamp changing when changing the language of the web GUI.

sander_vandamme · ‎06-20-2018

This proposal has the same behavior. So it is still not working.

Why is the TIMESTAMP_FIELDS setting in props.conf, on the Universal Forwarder, not taken into account?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms