splunk-connect-for-syslog icon indicating copy to clipboard operation
splunk-connect-for-syslog copied to clipboard
verified publisher icon splunk

Support option auto_extract_timestamp=true in HEC url

Open yoann-ls opened this issue 9 months ago • 3 comments

What is the sc4s version? 3.34.2

Feature Request description: When receiving logs from snare for Windows, the timestamp of the event may be different from the event in the syslog header. Therefore we must force the HEC to extract the timestamp at index time from the message and thus using the option in the HEC url:

/services/collector/event?auto_extract_timestamp=true

Adding an option in the configuration file to support this on per destination group, would solve the issuer.

The code to amend is the file conf.d/destinations/dest_hec/plugin.py and adding for the option: hec_endpoint_path = "/services/collector/event?auto_extract_timestamp=true"

yoann-ls avatar Apr 01 '25 12:04 yoann-ls

Wouldn't it make more sense to create a custom filter and extract it in SC4S? Alternatively we could try changing hec endpoint in values: charts/splunk-connect-for-syslog/values.yaml

sbylica-splunk avatar Apr 04 '25 10:04 sbylica-splunk

yes that would be a good alternative if we can do that

yoann-ls avatar Apr 07 '25 16:04 yoann-ls

@yoann-ls , you can just set this in the helm chart. Append it to the splunk url you provide.

Do you find this to work though?

I have a props defined time extract and I cannot get splunk use index time for data come from splunk connect for syslog. I've tried this method without any luck. Is there any other hack to this ?

chipzzz avatar Jun 20 '25 14:06 chipzzz

@yoann-ls any updates to this case?

sbylica-splunk avatar Aug 12 '25 11:08 sbylica-splunk