Boy am I glad to have found this thread.  Got my problem solved, thank you so much ❤️ ... View more

Thank you for the feedback!  I will take your suggestions into consideration! ... View more

Thanks Luca, this works!  Appreciated! ... View more

Thank you @isoutamo for the response.  Here is more accurate version of payload [ { "Assigned to": "Jones, Francis", "Cost": 3, "Created date": "2024-02-28 12:52:18", "Extraction date": "2024-03-02 13:51:00", "ID": 12345, "Initial Cost": 3, "Location": "Sites", "Path": "Sites\\FY1\\S3", "Priority": 1, "State": "In Progress", "Status Change date": "2024-03-05 16:33:23", "Tags": "Europe; Finance", "Title": "Ensure correct routing of orders", "Updated date": "2024-03-05 16:33:23", "Warranty": false, "Wave Quarter": "Q2 22", "Work Item Type": "Request" }, { "Assigned to": "Jones, Francis", "Cost": 3, "Created date": "2024-02-28 18:59:18", "Extraction date": "2024-03-05 16:31:00", "ID": 12345, "Initial Cost": 3, "Location": "Sites", "Path": "Sites\\FY1\\S3", "Priority": 1, "State": "In Progress", "Status Change date": "2024-03-05 16:33:23", "Tags": "Europe; Finance", "Title": "Ensure correct routing of orders", "Updated date": "2024-03-05 16:33:23", "Warranty": false, "Wave Quarter": "Q2 22", "Work Item Type": "Request" }, { "Assigned to": "Jones, Francis", "Cost": 3, "Created date": "2023-01-28 18:59:18", "Extraction date": "2023-02-05 16:31:00", "ID": 12345, "Initial Cost": 3, "Location": "Sites", "Path": "Sites\\FY1\\S3", "Priority": 1, "State": "In Progress", "Status Change date": "2023-02-05 16:33:23", "Tags": "Europe; Finance", "Title": "Ensure correct routing of orders", "Updated date": "2024-03-05 16:33:23", "Warranty": false, "Wave Quarter": "Q2 22", "Work Item Type": "Request" } ] ... View more

@anatolvd  This gets the job done, I didn't think of that! Thank you! ... View more

This works for me too, nice one! @D2SI I would suggest this being the solution. ... View more

Apologies for the delayed response, I needed time to explore and test.  In the end the issue was that the source was sending to /events endpoint and not /raw.  After updating everything starting working correctly!  Thank you so much for the support! I am accepting this as the answer because it provides multiple approaches, of which redirecting to /raw worked. ... View more

I need to find that out, but thank you for bringing this up!  Am I to assume that it would be best to send to /services/collector/raw?  Thanks! ... View more

Thank you for the response!  I have this same setup with a very similar payload and it works no issues.  Also, when the data comes into the HEC it parses the whole timestamp with the exception of the milliseconds for  the timestamp.  So for example the _time for the example above is: manual upload: 2023-07-12 10:17:32.432 HEC: 2023-07-12 10:17:32.000 One thing about the timestamp format is that it has 7 decimal places and not 6, but I am parsing %6N.  I'm not sure if this would have any bearing. I hope this helps! ... View more

@Gr0und_Z3r0 Thanks for the support, much appreciated.  I ensured that all rest related capabilities were enabled, unfortunately still no dice.  What I did discover, though, was that I can list the licenser services no problem: I can even call some of them.  For example I can list the usage: I'll continue to investigate and update if I find anything. Best regards, Andrew ... View more

@Gr0und_Z3r0 Thanks again for the response.  I did not have that capability enabled for "admin" role, but after enabling it still didn't solve 😕 I tried debug/refresh as well, but no luck. Regards, Andrew ... View more

Thanks again @Gr0und_Z3r0.  I am running Splunk 8.2.6.  Also, I am running the search on the Search Head that is not used as License Manager.  I also have the same permissions for admin role: Any other ideas? Thanks! Andrew ... View more

@Gr0und_Z3r0 Thank you for the response!  Unfortunately this command does not return any results.  I am running it as local administrator in the search app.  Am I missing something?  Thanks! ... View more

Hello All, I am also facing issues post upgrade.  When trying to save via web UI after specifying to not save a backup I get the error "The lookup file could not be saved". One of the best apps for Splunk has effectively become useless 😞 Is this being investigated at all? Thanks! Andrew ... View more

Thanks for the input @PickleRick  ... View more

@Tom_Lundie Thank you again for the response, I appreciate you taking the time. I updated the sourcetype, deployed it, both problems solved: timestamp is no longer multivalue with "none" value and _time is associated correctly to the epochms value in the payload! Before making the change I ran the tstats search you provided and it returned value "none".  After I made the change and ran it again the value was null.  Then I tabled the results as before and the multivalue is no longer there (I also added timestamp_human and index_time to provide additional understanding): Thank you so much for the suggestions.  Accepting your response as the answer, specifically the sourcetype. Best regards, Andrew ... View more