Getting Data In

HEC replacing underscore (_) with space ( )

jwhughes58
Contributor

I'm working with Proofpoint Threat Response events that are being sent to our instance of Splunk using an HEC connection.  The part of the threat response event

 

u'incident_field_values': [{u'name': u'Severity', u'value': u'Informational'},

 

The raw Splunk event

 

"incident field values": [{"name": "Severity", "value": "Informational"},

 

As far as I know the HEC shouldn't do any translation so how did incident_field_values become the same name using spaces instead of underscores?  The version is 7.3.6.

TIA,

Joe

Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...