can I use both auto_extract_timestamp and timestamp_key in splunk_hec_logs

[shamj]

I have a sceanio where some events have timestamp and some are not. while forwarding to splunk. it takes the time of ingestion.
can I use both auto_extract_timestamp and timestamp_key and keep auto_extract_timestamp as true for the logs that has timestamp. and use timestamp_key for logs that don't have timestamp in it.

[pront]

The timestamp_key setting tells Vector to retrieve the timestamp from a non-default e.g. foo. If .foo doesn't exist or doesn't have a value then the produced payload won't have a timestamp.

For the behavior auto_extract_timestamp it all depends on how you configured Splunk (something I am not very familiar with). These might be helpful:

• https://community.splunk.com/t5/Getting-Data-In/HEC-timestamp-recognition/m-p/537763#M90117
• https://docs.splunk.com/Documentation/Splunk/9.4.1/Data/Configuretimestamprecognition

[pgollangi]

If you use timestamp_key then auto_extract_timestamp ignored by splunk. Vector does nothing wrong here because if you set timestamp_key vector pass extract it and send it as time in the msgs, similarly vector just pass auto_extract_timestamp to splunk API. But splunk ignore auto_extract_timestamp if it detect time in the message/URL

This is what splunk HEC API doc says:

Sends timestamped events to HTTP Event Collector using the Splunk platform JSON event protocol when auto_extract_timestamp is set to "true" in the /event URL.

• An example of a timestamp is: 2017-01-02 00:00:00.
• If there is a timestamp in the event's JSON envelope, Splunk honors that timestamp first.
• If there is no timestamp in the event's JSON envelope, the merging pipeline extracts the timestamp from the event.
• If "time=xxx" is used in the /event URL then auto_extract_timestamp is disabled.
• Splunk supports timestamps using the Epoch format.