Hi,
I have this json event I put in trough HEC:
{
"time": "2019-10-01T11:29:53.817",
"eventType": "Computer Room Temp Monitoring",
"location": {
"dataCenter": "PDC1",
"hostname": "PELLE",
"temp": {
"dateStart": "2019-10-02T16:24:43",
"dateEnd": "2019-10-02T16:29:53.817",
"average": 23,
"min": 21,
"max": 24
}
}
}
But I am unable to set the "time" as the actual event time:
Have tried with both "_json" and my own sourcetype but to no avail. Have tried with both EPOCH and time format as above.
My own sourcetype looks like this in props.conf:
[crtemp]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = time
category = Structured
description = JavaScript Object Notation format. For more information, visit http://json.org/
disabled = false
pulldown_type = 1
#TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3Q
TIME_FORMAT =
TIME_PREFIX = time
MAX_TIMESTAMP_LOOKAHEAD = 30
↧