Yes, you can force a given field in the JSON data coming into the HEC to be the timestamp
If you do not, _time will populate with the timestamp of when it is received by Splunk
This line in props.conf will set _time to index/received time:
DATETIME_CONFIG = CURRENT
Check out the props.conf docs for more examples
from User warren – Stack Overflow https://stackoverflow.com/questions/77086817/splunk-http-collection-ignores-props-conf-file/77089013#77089013
via IFTTT