Splunk hasn’t documented the pipelines used by different HEC endpoints (raw vs event vs event with auto_extract_timestamp). This cheat sheet pulls together some information learned by testing different configurations and endpoints.

PDF

PNG

Updated: