https://community.splunk.com/t5/Getting-Data-In/HEC-timestamp-recognition/m-p/537763#M90117 <P>With 7.2.8 must use collector/raw, not collector/event to recognize timestamp in the payload.</P><P>Ver 8.0 with auto_extract_timestamp has been implemented for collector/event<BR />The timestamp recognition issue of this case happened as it's not using collector/raw endpoint.<BR /><A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/FormateventsforHTTPEventCollector#Raw_event_parsing" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/latest/Data/FormateventsforHTTPEventCollector#Raw_event_parsing</A></P><P>i) Use 'collector/raw' endpoint then it will detect a correct timestamp.&nbsp;</P><P>ii) Upgrade Splunk to 8.0 or above and use auto_extract_timestamp=true with "collector/event".<BR /><BR />for example, in 8.0+<BR />$ curl -k <A href="http://localhost:8088/services/collector/event?auto_extract_timestamp=true" target="_blank" rel="noopener">http://localhost:8088/services/collector/event?auto_extract_timestamp=true</A> -H "Authorization: Splunk &lt;TOKEN&gt;" -H "content-Type: application/json" -d '{"event": "2020-12-16 00:00:00 Hellow world"}'</P> Fri, 29 Jan 2021 00:32:41 GMT sylim_splunk 2021-01-29T00:32:41Z https://community.splunk.com/t5/Getting-Data-In/HEC-timestamp-recognition/m-p/537762#M90116 <P>We have data ingesting into Splunk via HEC token, and observed the time parsing of the event is not taking properly.<BR />Example - In the event the timestamp looks like 2020-12-01 09:59:18.0674, but in the Splunk it was capturing 12/1/20 9:59:18.000 AM. Here missing the millisecond in the Splunk time but it's not limited to the millisecond.. sometimes the second field are not correct..</P><P>We tried applying the time format and time prefix for the source and sourcetype as below, but it is not fixing the issue.<BR />TIME_PREFIX = "Date": "<BR />TIME_FORMAT = %Y-%m-%d %H:%M:%S.%4N</P><P>And also tried the props.conf below;</P><P>[the_sourcetype]<BR />AUTO_KV_JSON = false<BR />INDEXED_EXTRACTIONS = json<BR />TIMESTAMP_FIELDS = Date</P><P>We use collector/event REST endpoint.</P><P>Splunk version 7.2.8.</P> Fri, 29 Jan 2021 00:36:06 GMT https://community.splunk.com/t5/Getting-Data-In/HEC-timestamp-recognition/m-p/537762#M90116 sylim_splunk 2021-01-29T00:36:06Z https://community.splunk.com/t5/Getting-Data-In/HEC-timestamp-recognition/m-p/537763#M90117 <P>With 7.2.8 must use collector/raw, not collector/event to recognize timestamp in the payload.</P><P>Ver 8.0 with auto_extract_timestamp has been implemented for collector/event<BR />The timestamp recognition issue of this case happened as it's not using collector/raw endpoint.<BR /><A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/FormateventsforHTTPEventCollector#Raw_event_parsing" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/latest/Data/FormateventsforHTTPEventCollector#Raw_event_parsing</A></P><P>i) Use 'collector/raw' endpoint then it will detect a correct timestamp.&nbsp;</P><P>ii) Upgrade Splunk to 8.0 or above and use auto_extract_timestamp=true with "collector/event".<BR /><BR />for example, in 8.0+<BR />$ curl -k <A href="http://localhost:8088/services/collector/event?auto_extract_timestamp=true" target="_blank" rel="noopener">http://localhost:8088/services/collector/event?auto_extract_timestamp=true</A> -H "Authorization: Splunk &lt;TOKEN&gt;" -H "content-Type: application/json" -d '{"event": "2020-12-16 00:00:00 Hellow world"}'</P> Fri, 29 Jan 2021 00:32:41 GMT https://community.splunk.com/t5/Getting-Data-In/HEC-timestamp-recognition/m-p/537763#M90117 sylim_splunk 2021-01-29T00:32:41Z