Re: HTTP Event Collector do not completly index da...

nanapark · ‎06-25-2018

While trying to index data using the HTTP Event Collector, I got some data loss, especially in the last row.
Data format used is the following:

Multiple lines separated by CRLF
encode UTF-8
Data's format : flat JSON

Example:
{"field1":1,"field2":2,"field3":"smth"} CRLF
{"field1":2,"field2":3,"field3":"smth"} CRLF
{"field1":3,"field2":4,"field3":"smth"}

Anyone have an idea about this problem?

amiftah · ‎06-25-2018

Can you show your sourcetype in props.conf ?

nanapark · ‎06-26-2018

Unfortunately, I do not have access to the props.conf
We found that special characters are making trouble for the HEC such as: double quotes “ or é or è ...
Is there any solution to let the HEC accept those characters?

nanapark · ‎06-26-2018

I don't know if this can help. In indexed data I found this : sourcetype = _json

amiftah · ‎06-26-2018

Which Splunk version are you using?

nanapark · ‎06-27-2018

we are using splunk 6.5.3

HTTP Event Collector do not completly index data

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes