While trying to index data using the HTTP Event Collector, I got some data loss, especially in the last row.
Data format used is the following:
Example:
{"field1":1,"field2":2,"field3":"smth"} CRLF
{"field1":2,"field2":3,"field3":"smth"} CRLF
{"field1":3,"field2":4,"field3":"smth"}
Anyone have an idea about this problem?
Can you show your sourcetype in props.conf ?
Unfortunately, I do not have access to the props.conf
We found that special characters are making trouble for the HEC such as: double quotes “ or é or è ...
Is there any solution to let the HEC accept those characters?
I don't know if this can help. In indexed data I found this : sourcetype = _json
Which Splunk version are you using?
we are using splunk 6.5.3