I am developing a Python add-on and I am trying to specify a _time
composed by two JSON fields lastTstamp
and lastDate
in the index time
. Therefore, the extraction is getting a different and wrong timestamp.
JSON input:
{
lastTstamp: 15:32:02Z
lastDate: 2015-10-23
id: a4ec1ba0-ab74-11e6-a19f-0a7e67dda05f
status: new
}
event output: _time: 2015-11-18T05:55:58.000+00:00
So far I tried two approaches:
1st approach: Using helper.new_event
+ ew.write_event(event)
utc_dt = datetime.strptime(data_json['lastDate'] + 'T' + data_json['lastTstamp'], '%Y-%m-%dT%H:%M:%SZ')
event = helper.new_event(time=time.mktime(utc_dt.timetuple()),
source=helper.get_input_type(),
index=helper.get_output_index(),
sourcetype=helper.get_sourcetype(),
data=json.dumps(data_json))
ew.write_event(event)
2nd approach: Edit props.conf
and transforms.conf
transform.conf:
[alert_time]
REGEX = 'lastDate': u'(\d{4}-\d{2}-\d{2}).*lastTstamp': u'(\d{2}:\d{2}:\d{2})
FORMAT = $1T$2.000+00:00
DEST_KEY = _time
props.conf:
[json_alert]
KV_MODE = json
SHOULD_LINEMERGE = 0
category = Splunk App Add-on Builder
pulldown_type = 1
TRANSFORMS-datetime = alert_time`
I some cases a time zone difference is expected as normal, but as depicted in the example above, there is a huge gap between input and output timestamp.
Solved by setting DATETIME_CONFIG equals NONE in props.conf, which means the extraction will leave the event time set to whatever time was selected by the input layer.
Solved by setting DATETIME_CONFIG equals NONE in props.conf, which means the extraction will leave the event time set to whatever time was selected by the input layer.