Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

HTTP Event Collector batch post and HTTP errors

yotamcp
Engager
‎06-23-2021 01:24 AM

Hi,

I've started using HEC to push data to my Splunk Enterprise instance and noticed the errors I get.

For example, sending this:

 

{"aa": "hello world"}

 

Results in:

 

{
  "text": "No data",
  "code": 5
}

 

 

However, when sending events in batches, I will only get this error if the first event I send is problematic:

 

{"event": "hello world"}
{"aa": "hello world"}

 

Results in:

 

{
  "text": "Success",
  "code": 0
}

 

 

Because I need to know that all my events were sent successfully (and "acks" are not an option, considering I send data to Splunk Cloud as well), is there anything I can do (other than sending each event by itself)?

Labels (1)
Labels
Tags (2)
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎06-24-2021 12:03 AM

Hi @yotamcp 

You must be using /services/collector HEC endpoint. event: <your data> is the format when you send data to collector endpoint and only if it is JSON. In your first example there was no event:<> format hence splunk HEC ignored it in second example you have followed the format.

if you wanted to send raw data like any non JSON use /services/raw/ HEC endpoint. You can send multiple events together in a batch. All combination of examples exist here,

Use cURL to manage HTTP Event Collector tokens, events, and services - Splunk Documentation

https://docs.splunk.com/Documentation/Splunk/8.2.0/Data/HECExamples

---

An upvote would be appreciated and accept solution if it helps!

Tags (4)
0 Karma
Reply

yotamcp
Engager
‎06-26-2021 11:52 PM

I understand all that.

What I was trying to explain was that in a batch, I can send data like this, and get a "Success" message:

{ ... correct format ... }
{ ... correct format ... }
{ ... correct format ... }
{ ... inccorrect format ... }
{ ... correct format ... }
{ ... correct format ... }

Or I can send data like this and get an error:

{ ... inccorrect format ... }
{ ... correct format ... }
{ ... correct format ... }
{ ... correct format ... }
{ ... correct format ... }
{ ... correct format ... }

 

What I wanted to know, is if there is a way to send batch data, and fail the entire bulk on a single incorrect event (atomically). 

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...