Hi,
I have configured the REST API Modular Input to receive CSV data using the default handler and having "response_type = text" in inputs.conf.
Now I am trying to make Splunk identify the header fields and the timestamp fields.
I tried to configure the rest input as an indexed CSV extraction in props.conf, and to use timestamp fields, but this did not work, and I concluded that the REST application extractions are somehow not processed at index-time, but rather at search-time.
Is this correct? If so, how do I handle timestamp extraction based on one of the fields and how do I make Splunk parse the field names automatically?
Thanks a lot.
... View more