https://community.splunk.com/t5/Splunk-Enterprise/HEC-token-use-for-the-source-to-Splunk/m-p/700079#M20316 <P><SPAN class=""><A href="https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTinput#services.2Fcollector.2Fevent" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTinput#services.2Fcollector.2Fevent</A></SPAN></P><H2><SPAN class="">services/collector/event</SPAN></H2><P>Sends timestamped events to HTTP Event Collector using the Splunk platform JSON event protocol when auto_extract_timestamp is set to "true" in the /event URL.</P><UL><LI><DIV class="">An example of a timestamp is: 2017-01-02 00:00:00.</DIV></LI><LI><DIV class="">If there is a timestamp in the event's JSON envelope, Splunk honors that timestamp first.</DIV></LI><LI><DIV class="">If there is no timestamp in the event's JSON envelope, the merging pipeline extracts the timestamp from the event.</DIV></LI><LI><DIV class="">If "time=xxx" is used in the /event URL then auto_extract_timestamp is disabled.</DIV></LI><LI><DIV class="">Splunk supports timestamps using the Epoch format.</DIV></LI></UL><P>In other words - unless you specify your URI as /services/collector/event?auto_extract_timestamp=true your timestamp will _not_ be extracted from the event itself (Splunk will not even bother looking for it - it will either get the data from the json envelope or will assume current timestamp if there is no timestamp in the envelope). And even if the auto_extract_timestamp parameter is set to true, in cases listed above extraction is not performed either.</P><P>See also <A href="https://www.aplura.com/assets/pdf/hec_pipelines.pdf" target="_blank" rel="noopener">https://www.aplura.com/assets/pdf/hec_pipelines.pdf</A></P> Wed, 25 Sep 2024 10:55:38 GMT PickleRick 2024-09-25T10:55:38Z https://community.splunk.com/t5/Splunk-Enterprise/HEC-token-use-for-the-source-to-Splunk/m-p/700058#M20313 <P>Hello Splunkers!!</P> <P>I have ingested data into Splunk from the source system using the URI "<A href="https://localhost:8088/services/collector" target="_blank" rel="noopener">https://localhost:8088/services/collector</A>" along with the HEC token. However, the data is not being displayed in Splunk with the appropriate sourcetype parsing, which is affecting the timestamp settings for the events.<BR /><BR /></P> <P>The sourcetype and timestamp are currently being displayed as below.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="uagraw01_1-1727249483055.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/32801iC7D147EC1C95597D/image-size/medium?v=v2&amp;px=400" role="button" title="uagraw01_1-1727249483055.png" alt="uagraw01_1-1727249483055.png" /></span></P> <P>My actual props.conf setting as below :</P> <LI-CODE lang="markup">[agv_voot] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Custom KV_MODE = json pulldown_type = 1 TIME_PREFIX = ^\@timestamp TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N TIMESTAMP_FIELDS = @timestamp TRANSFORMS-trim_timestamp = trim_long_timestamp</LI-CODE><LI-CODE lang="markup">transforms.conf [trim_long_timestamp] REGEX = (\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3})\d+(-\d{2}:\d{2}) FORMAT = $1</LI-CODE> <P><BR />Please help to fix the proper parsing with correct sourcetype and timestamp.</P> Wed, 25 Sep 2024 14:13:18 GMT https://community.splunk.com/t5/Splunk-Enterprise/HEC-token-use-for-the-source-to-Splunk/m-p/700058#M20313 uagraw01 2024-09-25T14:13:18Z https://community.splunk.com/t5/Splunk-Enterprise/HEC-token-use-for-the-source-to-Splunk/m-p/700079#M20316 <P><SPAN class=""><A href="https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTinput#services.2Fcollector.2Fevent" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTinput#services.2Fcollector.2Fevent</A></SPAN></P><H2><SPAN class="">services/collector/event</SPAN></H2><P>Sends timestamped events to HTTP Event Collector using the Splunk platform JSON event protocol when auto_extract_timestamp is set to "true" in the /event URL.</P><UL><LI><DIV class="">An example of a timestamp is: 2017-01-02 00:00:00.</DIV></LI><LI><DIV class="">If there is a timestamp in the event's JSON envelope, Splunk honors that timestamp first.</DIV></LI><LI><DIV class="">If there is no timestamp in the event's JSON envelope, the merging pipeline extracts the timestamp from the event.</DIV></LI><LI><DIV class="">If "time=xxx" is used in the /event URL then auto_extract_timestamp is disabled.</DIV></LI><LI><DIV class="">Splunk supports timestamps using the Epoch format.</DIV></LI></UL><P>In other words - unless you specify your URI as /services/collector/event?auto_extract_timestamp=true your timestamp will _not_ be extracted from the event itself (Splunk will not even bother looking for it - it will either get the data from the json envelope or will assume current timestamp if there is no timestamp in the envelope). And even if the auto_extract_timestamp parameter is set to true, in cases listed above extraction is not performed either.</P><P>See also <A href="https://www.aplura.com/assets/pdf/hec_pipelines.pdf" target="_blank" rel="noopener">https://www.aplura.com/assets/pdf/hec_pipelines.pdf</A></P> Wed, 25 Sep 2024 10:55:38 GMT https://community.splunk.com/t5/Splunk-Enterprise/HEC-token-use-for-the-source-to-Splunk/m-p/700079#M20316 PickleRick 2024-09-25T10:55:38Z