Yeah we finally got it working. It was firewall issue.

How did you configure BeyondTrust to send via the HTTP Event Collector?

Or do you have a link to any documentation?

Well, I don't own Beyond Trust application. However, they provided me access to console to troubleshoot. I just needed to add the following on the configuration page of BT
Host Name:
Port:
Splunk Index:
Splunk Sourcetype:
Splunk Source:

Then at the bottom they had a panel to checkmark what to send or something similar

Ahh, yeah I don't see the configuration page on BT. Unless you are referring to Tools-->Alerting-->Actions, but that doesnt have anything Splunk related other than the host value to send to

No. It was under Configure -> Connectors

Do you have that options? I got access through the webpage, not the actual console

I believe we are on an older version, working to get it updated now. Are you using a TA for the props / transforms or just built your extractions custom?

I don't have any props or transforms as of now.

I believe since the data does not come through raw, it is considered already "cooked" and no index-time extractions can be applied. We are missing a severity field as well as the timestamp being 4 hours off. This is using the Splunk HEC connector. We might have to default back to syslog! Thanks for the help!

Yeah time is off. Haven't had time to do a research on how to fix it. Props doesn't work either.

But one thing I noticed was test didn't have issues as the logs didn't have any time on it. So it took indexing time. But the real logs have time, and gets screwed.

I Agree. Have had similar issues