You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We use splunk appender via logback. We use json formatter and sending batched log events to the HEC event endpoint (we do not use raw mode).
We expect to see the _time field in Splunk to contain the exact time as the logback message shows.
What we see is a _time without milliseconds and we see the same timestamp for all log events in one batch call. This timestamp in not equal to the time field in the log event messages.
After investigation we found that we need to have a time field in the meta/header info and not in the event part of the json message. See example 3 in HEC docs.
We checked this in a local test run by adding this line in com.splunk.logging.serialization.HecJsonSerializer#serialize (starting at line 51):
publicStringserialize(HttpEventCollectorEventInfoinfo) {
Map<String, Object> event;
if (this.eventHeaderSerializer != null) {
event = eventHeaderSerializer.serializeEventHeader(info, newHashMap<>(template));
} else {
event = newHashMap<>(template);
// added to get the _time field in sync: time field needs to be in the meta data of the event// see https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/FormateventsforHTTPEventCollectorevent.put(TIME_FIELD, String.format(Locale.US, "%.3f", info.getTime()));
}
It seems that a similar line was present in 1.7.3 before, can this behaviour be added back? This relates to #197 and the issues mentioned there.
(We could possibly use a custom EventBodySerializer to work around this (as mentioned in #197 also), but that feels like a workaround.)
splunk-library-javalogging version: 1.11.0
Splunk version: 8.2.2
We use splunk appender via logback. We use json formatter and sending batched log events to the HEC event endpoint (we do not use raw mode).
We expect to see the
_time
field in Splunk to contain the exact time as the logback message shows.What we see is a
_time
without milliseconds and we see the same timestamp for all log events in one batch call. This timestamp in not equal to thetime
field in the log event messages.After investigation we found that we need to have a
time
field in the meta/header info and not in theevent
part of the json message. See example 3 in HEC docs.We checked this in a local test run by adding this line in
com.splunk.logging.serialization.HecJsonSerializer#serialize
(starting at line 51):It seems that a similar line was present in 1.7.3 before, can this behaviour be added back? This relates to #197 and the issues mentioned there.
(We could possibly use a custom
EventBodySerializer
to work around this (as mentioned in #197 also), but that feels like a workaround.)One batch message before the fix:
One batch message after the fix. Notice that the time field is now in there twice, it might be better to remove it from the
event
part:The text was updated successfully, but these errors were encountered: