Using HEC on an Heavy forwarder, I receive json that come in as follows:
{
"env": "prod",
"org": "xxx",
"percentile": "95",
"proxy": "xxx",
"region": "europe-west1",
"target": "ALL",
"time": "2019-02-26T10:54:00.000+01:00",
"totalLatency": 362,
"targetLatency": 359
}
I want to override the indexing _time field with the timefield from the event. I've tried all forms of the following in Props:
[stansa]
TIMESTAMP_FIELDS = time
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N
TIME_PREFIX = time\":\s*\"
KV_MODE = json
but the _time sticks to indexing time with the splunk event looking like this:
time
2019-02-26T10:54:00.000+01:00
_time
2019-02-26T10:55:11.000+01:00
Please help me understand why Splunk stubbornly refuses to recognise me passing it a timestamp
↧