https://community.splunk.com/t5/Getting-Data-In/Why-is-linemerging-not-working-with-Http-Event-Collector-HEC/m-p/459712#M79377 <P>Doesn't using the raw endpoint solve your problem? Can you just use that or does some other issue arise?</P> Wed, 07 Nov 2018 18:09:41 GMT marycordova 2018-11-07T18:09:41Z https://community.splunk.com/t5/Getting-Data-In/Why-is-linemerging-not-working-with-Http-Event-Collector-HEC/m-p/459709#M79374 <P>Hey,</P> <P>We're trying to use Splunk HEC (+fluentd) and our existing linemerge rules aren't applied to events pushed using HEC.<BR /> We have a Splunk forwarder that pushes the same data and the linemerge rules properly applied to them.</P> <P>Am I missing anything? Does HEC ignore merge rules ?</P> Tue, 06 Nov 2018 13:52:02 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-linemerging-not-working-with-Http-Event-Collector-HEC/m-p/459709#M79374 yarinm 2018-11-06T13:52:02Z https://community.splunk.com/t5/Getting-Data-In/Why-is-linemerging-not-working-with-Http-Event-Collector-HEC/m-p/459710#M79375 <P>Are you sending JSON data or "raw" data? I have JSON data that is a little off, so it uses the raw endpoint instead and I set the KV_MODE to json in props.conf.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.2.0/Data/FormateventsforHTTPEventCollector#Event_parsing">http://docs.splunk.com/Documentation/Splunk/7.2.0/Data/FormateventsforHTTPEventCollector#Event_parsing</A></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.2.0/RESTREF/RESTinput#services.2Fcollector.2Fraw">http://docs.splunk.com/Documentation/Splunk/7.2.0/RESTREF/RESTinput#services.2Fcollector.2Fraw</A></P> <P>Also...there are some things you cannot do on a Universal Forwarder that you can on a Heavy Forwarder regarding props and transforms. </P> <P>So: </P> <OL> <LI>maybe try a Heavy Forwarder</LI> <LI>maybe try the raw HEC and a combination of props settings (also on a Heavy Forwarder?)</LI> </OL> Tue, 06 Nov 2018 19:42:39 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-linemerging-not-working-with-Http-Event-Collector-HEC/m-p/459710#M79375 marycordova 2018-11-06T19:42:39Z https://community.splunk.com/t5/Getting-Data-In/Why-is-linemerging-not-working-with-Http-Event-Collector-HEC/m-p/459711#M79376 <P>@marycordovacaa The current official plugin by splunk for fluentd doesn't support the raw API <A href="https://github.com/splunk/fluent-plugin-splunk-hec">https://github.com/splunk/fluent-plugin-splunk-hec</A></P> <P>We're currently sending using the /event endpoint. </P> <P>After some testing, if I use the raw endpoint (and batch the events) together the LINEMERGE rule applies. If I use the event endpoint (with batching) it ignores it completely. I was afraid that I'll have to resort to merging the lines with fluentd..</P> <P>Any other suggestions? </P> Wed, 07 Nov 2018 07:33:40 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-linemerging-not-working-with-Http-Event-Collector-HEC/m-p/459711#M79376 yarinm 2018-11-07T07:33:40Z https://community.splunk.com/t5/Getting-Data-In/Why-is-linemerging-not-working-with-Http-Event-Collector-HEC/m-p/459712#M79377 <P>Doesn't using the raw endpoint solve your problem? Can you just use that or does some other issue arise?</P> Wed, 07 Nov 2018 18:09:41 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-linemerging-not-working-with-Http-Event-Collector-HEC/m-p/459712#M79377 marycordova 2018-11-07T18:09:41Z https://community.splunk.com/t5/Getting-Data-In/Why-is-linemerging-not-working-with-Http-Event-Collector-HEC/m-p/459713#M79378 <P>The official splunk-hec fluentd plugin doesn't support the /raw endpoint at the moment.. </P> Wed, 07 Nov 2018 20:56:10 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-linemerging-not-working-with-Http-Event-Collector-HEC/m-p/459713#M79378 yarinm 2018-11-07T20:56:10Z https://community.splunk.com/t5/Getting-Data-In/Why-is-linemerging-not-working-with-Http-Event-Collector-HEC/m-p/459714#M79379 <P>maybe submit a feature request or a bug...i dont know if its trivial to edit the plugin to use the raw endpoint or not...and then of course updates could be likely to break the customization</P> Thu, 08 Nov 2018 00:30:04 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-linemerging-not-working-with-Http-Event-Collector-HEC/m-p/459714#M79379 marycordova 2018-11-08T00:30:04Z https://community.splunk.com/t5/Getting-Data-In/Why-is-linemerging-not-working-with-Http-Event-Collector-HEC/m-p/459715#M79380 <P>does anyone fix this issue?</P> Wed, 18 Sep 2019 08:19:18 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-linemerging-not-working-with-Http-Event-Collector-HEC/m-p/459715#M79380 benazir 2019-09-18T08:19:18Z