Scripted input with powershell - SplunkTime not wo...

mark19632 · ‎12-18-2015

Hi,

I have a PowerShell script that's being executed, but the event time is showing as the time the script runs.

The script outputs objects like this:

SplunkTime : 12/05/2015 15:32:06
RESEND_TYPE : 12404
SHOP_CODE : 1535
START_DAY : 512
START_NUMBER : 75244
END_DAY : 512
END_NUMBER : 75245
REQUEST_RECEIVED_AT : 12/05/2015 15:32:06

I've added the SplunkTime, but it's not shown on the search and the time is time the run time:
17/12/2015
22:43:27.000

RESEND_TYPE="12404"
SHOP_CODE="1535"
START_DAY="512"
START_NUMBER="97772"
END_DAY="512"
END_NUMBER="97773"
REQUEST_RECEIVED_AT="12/05/2015 17:19:36"

Any ideas?

Thanks,

Mark

javiergn · ‎12-18-2015

What's in your props.conf?

mark19632 · ‎12-18-2015

Nothing related to this.

I thought Splunk you pickup the time from the SplunkTime variable as per:

http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/MonitorWindowsDatawithPowerShellscripts

Thanks,

Mark

javiergn · ‎12-18-2015

Try renaming your SplunkTime variable to _time in PowerShell and see if that works.
Splunk should pick up the time automatically, but what I can see from your output is that there are multiple times being returned, and that might lead to confusions.

That's the reason you need a props.conf stanza for your sourcetype where you specify things like your time format, prefix, lookahead, etc.

Take a look at this: http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

Scripted input with powershell - SplunkTime not working

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...