JasonConger
commented
3 months ago Thanks for the feedback @patrickouelletwawa.
TL;DR = there was a reason for this, but there is an option that can be implemented to remedy this.
There are 2 possible endpoints with HEC - /event and /raw. When sending data to the /event endpoint, the parsing and merging pipelines are skipped for performance. The merging pipeline performs timestamp extraction. So if you do not send a timestamp with the event to the /event endpoint, the event will use _indextime as _time always.
That being said, there is a new-ish switch named auto_extract_timestamp that can be used to tell the /event endpoint to enter the merging pipeline and all your props for timestamp extraction will work as expected. We'll get this implemented.
patrickouelletwawa
Hi,
The function uses the "time" property of the event to send the "time" metadata property while sending via HEC. The problem is, when looking at AAD sign-ins, the "time" in the event is not the true sign-in time. The true sign-in time is in the properties.createdDateTime field.
Given these 3 sign-ins examples, we can see in the 1st screenshot the "time" field doesn't correspond to the true Sign-In times as reported by Azure (2nd screenshot).
Now normally we could use sourcetype time settings in Splunk to overwrite how Splunk parses the time, but in this case we cannot. Since the time field is sent as time metadata through HEC, that's the time that it uses regardless of sourcetype settings.
I think what would be best here is not sending any "time" metadata. Let Splunk configuration do its thing, allow it and us to configure time parsing. All events coming in will have some other field we can use to determine true time. And if not, Splunk will use the index time. No harm done.
Line 86-87 and 98-99 of helpers/splunk.js is what I'm referring to. It could be removed to fix this.