Hello,
I am trying to set `_time` from a given stanza that occurs after the `sourcetype` stanza is forced. I am using a generic or catch-all `sourcetype` stanza initially to receive data from the HTTP event collector and then force the events to their appropriate `sourcetype` from transforms. This `sourcetype` forcing works perfectly and assigns to the correct source type 2, 3, 4 below, as expected.
Now, I want to be able to set the `_time` to the value that comes from the `time_prefix` that is defined within each forced stanza, but this is not working. The `_time` is always being set to any `time_prefix` in the first stanza ( `sourcetype_1` ), or if I don't specify a `time_prefix` in the first stanza, Splunk will still assign a `_time` based on the default time rules.
Is there any way to have the `_time` set within each forced `sourcetype` stanza, or will it only be able to work form the first stanza at index time? I could probably create my own datetime.xml, but I was hoping to use the forcing of the `sourcetype` and have the `_time` value set within each forced `sourcetype` stanza. Below is an example:
[sourcetype_1 catch all]
Do not assign _time here
Force sourcetypes 2-4 and have _time assigned in those stanza's
[sourcetype_2]
Want _time set here based on time_prefix.
[sourcetype_3]
Want _time set here based on time_prefix.
[sourcetype_4]
Want _time set here based on time_prefix
↧