https://community.splunk.com/t5/Getting-Data-In/HTTP-event-collector-error-with-data-format/m-p/352758#M64641 <P>Need to add sourcetype in your event like {"event":"testing", "sourcetype": "st"}</P> Thu, 06 Sep 2018 17:08:15 GMT chli_splunk 2018-09-06T17:08:15Z https://community.splunk.com/t5/Getting-Data-In/HTTP-event-collector-error-with-data-format/m-p/352755#M64638 <P>I want to try to inputting a simple event to HTTP event collector just to test if it works. I think it was able to find the web address and also authenticate it with the token value. But I get an error with the invalid data format. What can I do to fix it?<BR /> I have the following command:<BR /> curl -k -H "Authorization: Splunk B86C5445-76D4-4FAF-A0FA-D8FE2FA49F79" <A href="https://localhost:8088/services/collector/event">https://localhost:8088/services/collector/event</A> -d '{"event":"testing"}'<BR /> With the following result:<BR /> {"text":"Invalid data format","code":6,"invalid-event-number":0}</P> Wed, 20 Sep 2017 21:18:00 GMT https://community.splunk.com/t5/Getting-Data-In/HTTP-event-collector-error-with-data-format/m-p/352755#M64638 tamduong16 2017-09-20T21:18:00Z https://community.splunk.com/t5/Getting-Data-In/HTTP-event-collector-error-with-data-format/m-p/352756#M64639 <P>Why the duplicate post? You already had a thread going... Anyways, try escaping the double quotes (curl may not like it the way it is):</P> <PRE><CODE>curl -k -H "Authorization: Splunk B86C5445-76D4-4FAF-A0FA-D8FE2FA49F79" <A href="https://localhost:8088/services/collector/event" target="test_blank">https://localhost:8088/services/collector/event</A> -d '{\"event\":\"testing\"}' </CODE></PRE> Thu, 21 Sep 2017 01:51:05 GMT https://community.splunk.com/t5/Getting-Data-In/HTTP-event-collector-error-with-data-format/m-p/352756#M64639 s2_splunk 2017-09-21T01:51:05Z https://community.splunk.com/t5/Getting-Data-In/HTTP-event-collector-error-with-data-format/m-p/352757#M64640 <P>I still have the same error <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Thu, 21 Sep 2017 14:15:03 GMT https://community.splunk.com/t5/Getting-Data-In/HTTP-event-collector-error-with-data-format/m-p/352757#M64640 tamduong16 2017-09-21T14:15:03Z https://community.splunk.com/t5/Getting-Data-In/HTTP-event-collector-error-with-data-format/m-p/352758#M64641 <P>Need to add sourcetype in your event like {"event":"testing", "sourcetype": "st"}</P> Thu, 06 Sep 2018 17:08:15 GMT https://community.splunk.com/t5/Getting-Data-In/HTTP-event-collector-error-with-data-format/m-p/352758#M64641 chli_splunk 2018-09-06T17:08:15Z https://community.splunk.com/t5/Getting-Data-In/HTTP-event-collector-error-with-data-format/m-p/352759#M64642 <P>For the record, this one worked for us -</P> <PRE><CODE>curl "https://&lt;HEC service&gt;:443/services/collector/event" -H "Authorization: Splunk f5b9eac2-7319-4dfb-80d0-86f44a9785cd" -k -d "{\"host\":\"xxxx\",\"sourcetype\":\"test_hec\",\"source\":\"test\",\"event\":{\"message\":\"ERROR\",\"code\":\"401\"}}" </CODE></PRE> Fri, 31 May 2019 20:27:41 GMT https://community.splunk.com/t5/Getting-Data-In/HTTP-event-collector-error-with-data-format/m-p/352759#M64642 ddrillic 2019-05-31T20:27:41Z https://community.splunk.com/t5/Getting-Data-In/HTTP-event-collector-error-with-data-format/m-p/352760#M64643 <P>I know this is an old post, but it seems that there isn't a good answer to this question, so I felt I should share after recently experiencing the same error. <BR /> The error is in my experience is indicative of a formatting issue or expected key / value pairs that are missing in or with your data. I would inspect the data for unexpected characters, white space's, etc as well. An example: I ran into this issue, and when inspecting the format of the data there were white spaces between colons that separate k/v pairs:</P> <P>Example of data where I saw this error. Although not apparent, there are white spaces between the key: value. When I removed the white spaces, I was able to successfully send the data:<BR /> (NOTE: This is metric data going to a metric index).</P> <P>"{<BR /> "source": "t_e_api", <BR /> "host": "server1, <BR /> "event": "metric", <BR /> "fields": <BR /> {<BR /> "ftpTimeLimit": "1", <BR /> "group": "", <BR /> "metric_name": "c_u_used",<BR /> "agents": "",<BR /> "accountGroupName": "Is1",<BR /> "url": "",<BR /> "type": "1",<BR /> "interval":"4",<BR /> "enabled":"1",<BR /> "testName": "test1",<BR /> "_value": 3022222,<BR /> "sipTimeLimit": "1",<BR /> "httpTimeLimit": "3",<BR /> "aid": 170000,<BR /> "pageLoadTimeLimit": "7",<BR /> "test_id": 110101,<BR /> "testType": "Web - HTTP Server"<BR /> },<BR /> "time": 1571420739<BR /> }"</P> <P>This adjustment (removal of white spaces) fixed the issue:<BR /> "{<BR /> "source":"t_e_api", <BR /> "host":"server1, <BR /> "event":"metric", <BR /> "fields":<BR /> {<BR /> "ftpTimeLimit":"1", <BR /> "group":"", <BR /> "metric_name":"c_u_used",<BR /> "agents":"",<BR /> "accountGroupName":"Is1",<BR /> "url":"",<BR /> "type":"1",<BR /> "interval":"4",<BR /> "enabled":"1",<BR /> "testName":"test1",<BR /> "_value":3022222,<BR /> "sipTimeLimit":"1",<BR /> "httpTimeLimit":"3",<BR /> "aid":170000,<BR /> "pageLoadTimeLimit":"7",<BR /> "test_id":110101,<BR /> "testType":"Web - HTTP Server"<BR /> },<BR /> "time":1571420739<BR /> }"</P> Wed, 30 Sep 2020 02:34:49 GMT https://community.splunk.com/t5/Getting-Data-In/HTTP-event-collector-error-with-data-format/m-p/352760#M64643 damiensurat 2020-09-30T02:34:49Z https://community.splunk.com/t5/Getting-Data-In/HTTP-event-collector-error-with-data-format/m-p/352761#M64644 <P>Just replace event by raw like this:<BR /> curl -k <A href="https://localhost:8088/services/collector/raw">https://localhost:8088/services/collector/raw</A> -H "Authorization: Splunk 65652e8c-443d-42b6-9b75-02657b215665" -d '{"event":"This is test http event collector"}'<BR /> You can find the answer from this link:<BR /> <A href="https://medium.com/adarma-tech-blog/splunk-http-event-collectors-explained-2c22e87ab8d2,Just">https://medium.com/adarma-tech-blog/splunk-http-event-collectors-explained-2c22e87ab8d2,Just</A> replace event by raw like this:<BR /> curl -k <A href="https://localhost:8088/services/collector/raw">https://localhost:8088/services/collector/raw</A> -H "Authorization: Splunk 65652e8c-443d-42b6-9b75-02657b215665" -d '{"event":"This is test http event collector"}'<BR /> I found this answer from following link: <BR /> <A href="https://medium.com/adarma-tech-blog/splunk-http-event-collectors-explained-2c22e87ab8d2">https://medium.com/adarma-tech-blog/splunk-http-event-collectors-explained-2c22e87ab8d2</A></P> Fri, 10 Apr 2020 04:10:14 GMT https://community.splunk.com/t5/Getting-Data-In/HTTP-event-collector-error-with-data-format/m-p/352761#M64644 anupagazi 2020-04-10T04:10:14Z https://community.splunk.com/t5/Getting-Data-In/HTTP-event-collector-error-with-data-format/m-p/678754#M113421 <P>Was getting similar errors too. Adding the /raw in my curl statement resolved the issue.</P> Tue, 27 Feb 2024 02:51:42 GMT https://community.splunk.com/t5/Getting-Data-In/HTTP-event-collector-error-with-data-format/m-p/678754#M113421 NKB 2024-02-27T02:51:42Z