Hello, now I find the reason: In another thread @hernanb postet, that the "event" end point of HEC is forwarding the data directly without parsing to the indexing (additionally HEC has a "raw" endpoint, that parses the data before). Here the link to the thread: https://community.splunk.com/t5/Getting-Data-In/How-do-you-extract-a-timestamp-from-JSON-logs-that-are-being/td-p/395776 As I use the Splunk-Logging-Library (it is using by default the "event" end point), I needed to add a "type" element in the appender configuration (with the value 'raw'): <Appender name="Splunk_HEC_Local"
class="com.splunk.logging.HttpEventCollectorLogbackAppender">
<url>https://localhost:8088</url>
<token>aaaaaaaaa-bbbbbbbbb-cccccccc</token>
<disableCertificateValidation>true</disableCertificateValidation>
<batch_size_count>1</batch_size_count>
<sourcetype>odata_mpl_message_json</sourcetype>
<source>Splunk-Integration</source>
<layout class="ch.qos.logback.classic.PatternLayout">
<pattern>%msg</pattern>
</layout>
<type>raw</type>
</Appender> Then I changed the props.conf to the original expected solution: [odata_mpl_message_json]
CHARSET = UTF-8
INDEXED_EXTRACTIONS = json
KV_MODE = none
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = 1
TIME_FORMAT=%FT%T.%3N
TIMESTAMP_FIELDS=event.message.logStart
LINE_BREAKER = ([\r\n]+)
category = Custom
description = ODATA SCPI MPL JSON When I send logs over the HEC now, the events have a little different structure with an "event" field: Then as you can see in the screenshot, the _time event attribute has been setted on base of the json field "event.message.logStart". To find this solution it was necessary to look to the source code of the classes HttpEventCollectorSender.java and HttpEventCollectorLoggingHandler because this aspect is not documented. Nevertheless thanks for your support.
... View more