From 8c7ab8fcf29cfecec017cd6dc163129e68da7b7f Mon Sep 17 00:00:00 2001
From: digitalbadger-uk <63948954+digitalbadger-uk@users.noreply.github.com>
Date: Mon, 21 Aug 2023 13:44:52 +0100
Subject: [PATCH] Added required epoc time field for Splunk HEC Event Receiver
 (#14246)

Signed-off-by: Iain <iain@digitalbadger.com>
---
 awx/main/utils/formatters.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/awx/main/utils/formatters.py b/awx/main/utils/formatters.py
index 783278bd9e..48edd56f65 100644
--- a/awx/main/utils/formatters.py
+++ b/awx/main/utils/formatters.py
@@ -283,6 +283,7 @@ class LogstashFormatter(LogstashFormatterBase):
             message.update(self.get_debug_fields(record))
 
         if settings.LOG_AGGREGATOR_TYPE == 'splunk':
-            # splunk messages must have a top level "event" key
-            message = {'event': message}
+            # splunk messages must have a top level "event" key when using the /services/collector/event receiver.
+            # The event receiver wont scan an event for a timestamp field therefore a time field must also be supplied containing epoch timestamp
+            message = {'time': record.created, 'event': message}
         return self.serialize(message)