topic Re: How to determine if data sent to HEC came in on Event or Raw endpoint in Getting Data In

How to determine if data sent to HEC came in on Event or Raw endpoint

gn694 — Wed, 23 Apr 2025 16:51:40 GMT

Is there any way to tell whether data coming into Splunk's HEC was sent to the event or raw endpoint?
You can't really tell from looking at the events themselves, so I was hoping there was a way to tell based on something like the token, sourcetype, source, or host.

I have tried searching the _internal index and have not found anything helpful.

Re: How to determine if data sent to HEC came in on Event or Raw endpoint

VatsalJagani — Wed, 23 Apr 2025 17:08:38 GMT

@gn694- I don't think there is any direct way or internal logs you can use this for this what you need.

Unless you can see the difference in data in terms of fields indexed OR you check on the source side.

Re: How to determine if data sent to HEC came in on Event or Raw endpoint

gn694 — Wed, 23 Apr 2025 17:27:46 GMT

I was afraid of that. Makes it hard for me because I don't have access to the source side of things for most things coming into HEC.

Re: How to determine if data sent to HEC came in on Event or Raw endpoint

livehybrid — Wed, 23 Apr 2025 19:28:52 GMT

Hi @gn694

If you are on-prem then you can set the HttpInputDataHandler component to DEBUG mode (but dont do it for long!) - this will record the contents of HEC payloads in _internal which might help you work out if its raw or event endpoints.

Edit the log level via Settings->Server Settings->Server Logging - search for "HttpInputDataHandler" and change to DEBUG.

Shortly after you will get logs like this:

Search:

index=_internal sourcetype=splunkd log_level=debug component=HttpInputDataHandler

In my example, the top one was using the event endpoint and the bottom using the raw endpoint.

The logs sent to the event endpoint will always have an "event" field in the body_chunk value, along with other fields like time/host/source etc.

Try this and let me know how you get on!

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: How to determine if data sent to HEC came in on Event or Raw endpoint

PickleRick — Wed, 23 Apr 2025 21:57:27 GMT

There is yet another thing which can sometimes hint at whether you're getting data onto one or the other endpoint. With the /event endpoint you can push indexed fields. So if you have some non-raw-based fields which obviously weren't extracted/calculated in the ingestion pipeline (but for this you'd have to dig through your index-time configs) that would singly suggest you're getting data via/event endpoint.