potential to it services/collector/raw rathr than services/collector/event

[acurciosplunk]

Has anyone investigated the potential to leverage this to hit the services/collector/raw endpoint?

Primary issue being the default time in epoch, and Splunk being able to mod the meta data with /raw.

https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_Event_Collector_on_Splunk_Cloud_instances "In many cases, you use the /services/collector endpoint for JavaScript Object Notation (JSON)-formatted events or the services/collector/raw endpoint for raw events"

Event endpoint reference (services/collector/event) http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTinput#services.2Fcollector.2Fevent Raw endpoint reference (services/collector/raw) http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTinput#services.2Fcollector.2Fraw

Format events for HTTP Event Collector https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/FormateventsforHTTPEventCollector "Support for parsing raw event text is available in Splunk Enterprise 6.4.0 and later, Splunk Light 6.4.0 and later, and in the current releases of Splunk Cloud and Splunk Light Cloud.”

Default time format being epoch time is described here. https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/FormateventsforHTTPEventCollector#Event_metadata Specifically the section below the meta data table that reads: "With raw events, you can configure metadata at the global level (all tokens), at the token level, and at the request level using the query string. Metadata specified within a request will apply to all events that are extracted from the request."

which leads us to this section on Event Parsing: https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/FormateventsforHTTPEventCollector#Event_parsing