HTTP Event Collector do not completly index data

nanapark · ‎06-25-2018

While trying to index data using the HTTP Event Collector, I got some data loss, especially in the last row.
Data format used is the following:

Multiple lines separated by CRLF
encode UTF-8
Data's format : flat JSON

Example:
{"field1":1,"field2":2,"field3":"smth"} CRLF
{"field1":2,"field2":3,"field3":"smth"} CRLF
{"field1":3,"field2":4,"field3":"smth"}

Anyone have an idea about this problem?

amiftah · ‎06-25-2018

Can you show your sourcetype in props.conf ?

nanapark · ‎06-26-2018

Unfortunately, I do not have access to the props.conf
We found that special characters are making trouble for the HEC such as: double quotes “ or é or è ...
Is there any solution to let the HEC accept those characters?

nanapark · ‎06-26-2018

I don't know if this can help. In indexed data I found this : sourcetype = _json

amiftah · ‎06-26-2018

Which Splunk version are you using?

nanapark · ‎06-27-2018

we are using splunk 6.5.3

HTTP Event Collector do not completly index data

Fastest way to demo Observability

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

Are you a member of the Splunk Community?

HTTP Event Collector do not completly index data

Fastest way to demo Observability

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps