How to manually set timestamp for Splunk logs?

Question

I have a database table full of logs, and I would like to upload that into Splunk by executing a query to get an array of logs, then iterating over it and running console.log() on each log. This almost works fine, however the timestamp that Splunk picks up for each log is based on whatever time I run the upload script.

Is there any way I can transform my log object so that Splunk will use the timestamps I provide? For example, one of my logs might look like:

{
  id: 2910432221,
  log_timestamp: 2019-08-07T19:04:03.000Z,
  userId: 2331,
  actionId: 45
}

Ideally, I would be able to run something like this, and have the value of splunk_timestamp appear in the Time column in the Splunk dashboard.

console.log({
 id: 2910432221,
 splunk_timestamp: 2019-08-07T19:04:03.000Z,
 userId: 2331,
 actionId: 45
})

Is anything like that possible?

Oerd Oerd · Accepted Answer · 2019-08-21T10:22:43

Splunk will try to automatically identify the _time value by picking the first field it encounters matching TIME_FORMAT. You can override this in props.conf.

I believe your problem is in the json object: what you are passing to console.log is not a valid json object. Field names and values should be properly quoted.

{
 "id": 2910432221,
 "splunk_timestamp": "2019-08-07T19:04:03.000Z",
 "userId": 2331,
 "actionId": 45
}

How to manually set timestamp for Splunk logs?

1 Answers