Hello, splunk community.
I am new to splunk and already reviewed ton of info on the topic but I still can't get why I can't get splunk light to read _time from my event.
The event sent looks like this
{"event": {
"attributed_touch_type": "",
"attributed_touch_time": "",
"event_time": "2019-08-22 10:10:10",
"event_name": "install",
"event_value": "",
"event_revenue": "",
}}
I configure my props.conf file here
... /opt/splunk/etc/system/local/
with the following params
[appsflyer]
ATETIME_CONFIG = NONE
TIME_PREFIX = \"event_time\" :\"
MAX_TIMESTAMP_LOOKAHEAD = 9999
TIME_FORMAT = %Y-%m-%d %H:%M:%S
I reset server several times and made sure data was indexed after reset. Any idea why splunk would not recognize my event_time for _time? Any help would be appreciated.
Thank you in advance.
... View more