Problem statement
I have log streaming configured for Splunk in all of my tenants. The logs are making it to Splunk with no issue, but I’m unable to get a working timestamp extraction configuration in Splunk. I engaged Splunk support and they asked if the logs are being sent to the services/collector or the services/collector/raw endpoint for the HEC.
The raw endpoint is the only one that supports time stamp extraction according to Splunk. Without extraction we get all of our logs with mismatched time stamps.
Solution
Going with /services/collector/raw endpoint is one solution to fix the timestamp discrepancies and it was added to our product backlog so as soon as we have any information on that front. We’ll let you know.