Hello,
I have user event logs that I'm trying to ingest over TCP. Every event is a JSON like this:
{key1:v1,....,event:{time:"$ISO8601_VALUE",keyn:vn}...}
Here's my props.conf on indexer node (I don't use forwarders yet):
/opt/splunk/etc/apps/search/local/props.conf:
*
[usr_event]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = event.time
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
TZ = UTC
category = Custom
pulldown_type = 1
KV_MODE = json
SHOULD_LINEMERGE = false
disabled = false*
When I use this source type in a file, I can get timestamp extracted correctly in preview but when I use the same source type in TCP input, I my custom timestamp setting ignored so I get the time stamp at the time of loading.
I prefer TCP as it makes it a lot easier to stream back-fill input for historical data as well as for daily ETL.
Is there something wrong with my settings?
Thanks,
David
... View more