https://community.splunk.com/t5/Getting-Data-In/Unable-to-extract-timestamp-from-incoming-API-POST/m-p/438292#M76426 <P>You should <CODE>unaccept</CODE> my answer and <CODE>accept</CODE> your because mine was not it. Feel free to <CODE>UpVote</CODE>, though!</P> Sun, 11 Aug 2019 22:45:03 GMT woodcock 2019-08-11T22:45:03Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-extract-timestamp-from-incoming-API-POST/m-p/438287#M76421 <P>I have an index cluster with load balancer<BR /> a curl sending a JSON event to HEC</P> <PRE><CODE>curl <A href="http://indexers-amazonaws.com:8088/services/collector" target="test_blank">http://indexers-amazonaws.com:8088/services/collector</A> -H 'Authorization: Splunk ???' -d '{"sourcetype": "bma","event": {"timestamp": "Sun Aug 11 19:00:00 GMT+10:00 2019","Username": "joblogs", "requestID": "???", "access-level": "1", "authentication": "success"}}' </CODE></PRE> <P>Props that appears to work when I do it manually through data input</P> <PRE><CODE>[bma] INDEXED_EXTRACTIONS = json KV_MODE = none LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true SHOULD_LINEMERGE = true TIME_PREFIX = {"timestamp": " category = Structured disabled = false pulldown_type = 1 </CODE></PRE> <P>I've tried numerous variation of props</P> <P>What am I missing???</P> Sun, 11 Aug 2019 10:57:29 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-extract-timestamp-from-incoming-API-POST/m-p/438287#M76421 proylea 2019-08-11T10:57:29Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-extract-timestamp-from-incoming-API-POST/m-p/438288#M76422 <P>Have you tried adding <CODE>TIME_FORMAT = %a %b %d %H:%M:%S %Z%:z %Y"</CODE> to props.conf?</P> Sun, 11 Aug 2019 13:21:33 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-extract-timestamp-from-incoming-API-POST/m-p/438288#M76422 richgalloway 2019-08-11T13:21:33Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-extract-timestamp-from-incoming-API-POST/m-p/438289#M76423 <P>When using the <CODE>/collector/event</CODE> endpoint, you need to supply your timestamp while formatting your event, along with <CODE>sourcetype</CODE>, <CODE>source</CODE> and <CODE>host</CODE>; if you want to extract the timestamp from your raw data then you need to use the <CODE>/collector/raw</CODE> HEC endpoint instead.</P> Sun, 11 Aug 2019 21:53:16 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-extract-timestamp-from-incoming-API-POST/m-p/438289#M76423 woodcock 2019-08-11T21:53:16Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-extract-timestamp-from-incoming-API-POST/m-p/438290#M76424 <P>Thank you sir, very good.<BR /> I figured after to much playing around with props that my problem was with the event.<BR /> I had tried adding time as suggested but got errors, didn't realise it needed to be epoch time.</P> <P>For those who are interested this format works:<BR /> curl <A href="http://indexers-amazonaws.com:8088/services/collector/event">http://indexers-amazonaws.com:8088/services/collector/event</A> -H 'Authorization: Splunk ???' -d '{"sourcetype": "bma","time": "1565561700","event": {"Username": "jobloggs", "tokenID": "???", "access-level": "1", "authentication": "success"}}'</P> <P>And the raw option also does the trick but the final event is not as tidy</P> Sun, 11 Aug 2019 22:30:14 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-extract-timestamp-from-incoming-API-POST/m-p/438290#M76424 proylea 2019-08-11T22:30:14Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-extract-timestamp-from-incoming-API-POST/m-p/438291#M76425 <P>Thanks Rich, yes I had</P> Sun, 11 Aug 2019 22:31:48 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-extract-timestamp-from-incoming-API-POST/m-p/438291#M76425 proylea 2019-08-11T22:31:48Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-extract-timestamp-from-incoming-API-POST/m-p/438292#M76426 <P>You should <CODE>unaccept</CODE> my answer and <CODE>accept</CODE> your because mine was not it. Feel free to <CODE>UpVote</CODE>, though!</P> Sun, 11 Aug 2019 22:45:03 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-extract-timestamp-from-incoming-API-POST/m-p/438292#M76426 woodcock 2019-08-11T22:45:03Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-extract-timestamp-from-incoming-API-POST/m-p/438293#M76427 <P>I had tried adding time as suggested but got errors, didn't realise it needed to be epoch time.<BR /> For those who are interested this format works:<BR /> curl <A href="http://indexers-amazonaws.com:8088/services/collector/event">http://indexers-amazonaws.com:8088/services/collector/event</A> -H 'Authorization: Splunk ???' -d '{"sourcetype": "bma","time": "1565561700","event": {"Username": "jobloggs", "tokenID": "???", "access-level": "1", "authentication": "success"}}'</P> Mon, 12 Aug 2019 11:32:46 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-extract-timestamp-from-incoming-API-POST/m-p/438293#M76427 proylea 2019-08-12T11:32:46Z