https://community.splunk.com/t5/Getting-Data-In/Reports-are-not-indexed-correctly/m-p/670245#M112388 <P>I have a single search head and configured the props.conf to have DATETIME_CONFIG = CURRENT as I want the data to be indexed at the time Splunk receives the report. I restarted splunk after every change.</P><P>Previously I had it set to a field in the report. When I upload a csv and use the correct sourcetype it assigns the current time to the report. When I upload a report via curl through the HEC endpoint it indexes it to the right time. Same thing when I run it through a simple script.</P><P>But when the test pipeline runs, it indexes data to the timestamp that is in the report even though it is using the same sourcetype as the other tests I did. Is it possible to add a time field that overrides the sourcetype config? Is there a way to see the actual api request in the splunk internal logs?</P> Thu, 30 Nov 2023 00:25:00 GMT klim 2023-11-30T00:25:00Z https://community.splunk.com/t5/Getting-Data-In/Reports-are-not-indexed-correctly/m-p/670245#M112388 <P>I have a single search head and configured the props.conf to have DATETIME_CONFIG = CURRENT as I want the data to be indexed at the time Splunk receives the report. I restarted splunk after every change.</P><P>Previously I had it set to a field in the report. When I upload a csv and use the correct sourcetype it assigns the current time to the report. When I upload a report via curl through the HEC endpoint it indexes it to the right time. Same thing when I run it through a simple script.</P><P>But when the test pipeline runs, it indexes data to the timestamp that is in the report even though it is using the same sourcetype as the other tests I did. Is it possible to add a time field that overrides the sourcetype config? Is there a way to see the actual api request in the splunk internal logs?</P> Thu, 30 Nov 2023 00:25:00 GMT https://community.splunk.com/t5/Getting-Data-In/Reports-are-not-indexed-correctly/m-p/670245#M112388 klim 2023-11-30T00:25:00Z