Getting Data In

Can not find HTTP Event Collector field events

fmathis
Engager

Hello,

I am trying to post events through HEC like so :

{
  "host": "my_host",
  "sourcetype": "my_source_type",
  "time": 15617254748.888,
  "event": {
    "event": "my_event_name",
    "source": "my_source",
    "message": "My message"
  }
}

Unfortunately, I cannot find these events in my index, and this seems to be due to the presence of the inner field event.

Is there a way to pass the event name inside the event object?

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@fmathis ,
It depends on your implementation but I was able to send a json with event in the message programmatically as well as using simple curl.

curl -k -H "Authorization: Splunk my_splunk_token" https://my_splunk_host:hec_port/services/collector/event -d '{"sourcetype": "_json", "event": "{\"event\":\"my_event\",\"message\":\"This message has event name\"}"}'

Result
alt text

From your event above, looks like the timestamp is a future one. You may try searching the default index configured with the token and also probably for "All Time"

Happy Splunking!

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

@fmathis ,
It depends on your implementation but I was able to send a json with event in the message programmatically as well as using simple curl.

curl -k -H "Authorization: Splunk my_splunk_token" https://my_splunk_host:hec_port/services/collector/event -d '{"sourcetype": "_json", "event": "{\"event\":\"my_event\",\"message\":\"This message has event name\"}"}'

Result
alt text

From your event above, looks like the timestamp is a future one. You may try searching the default index configured with the token and also probably for "All Time"

Happy Splunking!

fmathis
Engager

Thanks a lot for your answer, I must have been fooled by the timestamp !
The thing is, I could never find an exemple of sending an event field inside the event object, so I started doubting that might be possible.
Thanks again !

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...