Solved: Does the HTTP Event Collector reach the indexing q...

ddrillic · ‎05-03-2019

We think that the HTTP Event Collector reaches directly the indexing queue when using the event end point. Meaning the props.conf that we place are being ignored. Is this right?

starcher · ‎05-03-2019

Yes. You don't do props to parse when using propery formed JSON. HEC is a developer method for sending in data. It is expected you form the data correctly and won't need additional parsing. The raw method will act normally in the sense of what you are asking.

View solution in original post

starcher · ‎05-03-2019

Yes. You don't do props to parse when using propery formed JSON. HEC is a developer method for sending in data. It is expected you form the data correctly and won't need additional parsing. The raw method will act normally in the sense of what you are asking.

ddrillic · ‎05-08-2019

Thank you @starcher !

ddrillic · ‎05-03-2019

Interesting @starcher - is there a good documentation about it?

starcher · ‎05-03-2019

http://dev.splunk.com/view/event-collector/SP-CAAAE6P

ddrillic · ‎05-03-2019

Ok, it says -

-- The HTTP Event Collector endpoint extracts the events from the HTTP request and parses them before sending them to indexers. Because the event data formats, as described in this topic, are pre-determined, Splunk Enterprise is able to parse your data quickly, and then sends it to be indexed. This results in improved data throughput and reduced event processing time compared to other methods of getting data in.

You can configure extraction rules in the props.conf file.

So, it's not clear whether the event end point completely bypasses the props.conf.

Does the HTTP Event Collector reach the indexing queue when using the event end point?

Index This | How many sides does a circle have?

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?