Solved: HEC event field

Haleb · ‎05-02-2024

I need to connect data from a third party application via HEC to Splunk. It sends data in this format 1 event per request:

{
"field1":"value",
"field2":"value"
}

After looking at the documentation for HEC, I discovered that for events to work correctly, they must have the following format:

{
"event":{
    "field1":"value",
    "field2":"value"
    }
}

Otherwise I receive an error:

{"text":"No data","code":5}

I don't have the ability to change the event format on the third-party application side. How can this problem be solved?

richgalloway · ‎05-02-2024

There are several ways to send data to HEC and not all of them use that format. The raw endpoint should accept events in your desired format. See https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/FormateventsforHTTPEventCollector#Format_eve...

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎05-02-2024

There are several ways to send data to HEC and not all of them use that format. The raw endpoint should accept events in your desired format. See https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/FormateventsforHTTPEventCollector#Format_eve...

---
If this reply helps you, Karma would be appreciated.

HEC event field