I have an http event collector configured with a heavy forwarder in the DMZ forwarding to an internal Indexer. The timtestamp of all events is being set to the time received, it's not picking up the "time" value from the body despite my props.conf settings. No errors or warnings in "_internal" around timestamp or anything close to it. Test event sent to the collector: curl --location --request POST 'https://<redacted>.com/services/collector' \
--header 'Authorization: Splunk <redacted>' \
--header 'Content-Type: application/json' \
--data-raw '{"event": {"time":"2021-02-04 20:20:20.123-05:00","userSettings":{"userId":"ab12345","userName":"ab12345,"site":"000"},"version":5070004},"sourcetype": "st-test"}' shows up as expected in Search results as expected (raw): {"time":"2021-02-04 20:20:20.123-05:00","userSettings":{"userId":"ab12345","userName":"ab12345","site":"901"},"version":5070004} props.conf for this sourcetype is configured on both the heavy forwarder and internal indexer: [st-test]
TRUNCATE = 100000
INDEXED_EXTRACTIONS = json
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Structured
disabled = false
pulldown_type = 1
TIME_PREFIX = "time":"
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N%:z
MAX_TIMESTAMP_LOOKAHEAD = 32 Any ideas?
... View more