Getting Data In

HTTP Event Collector do not completly index data

New Member

While trying to index data using the HTTP Event Collector, I got some data loss, especially in the last row.
Data format used is the following:

  • Multiple lines separated by CRLF
  • encode UTF-8
  • Data's format : flat JSON

Example:
{"field1":1,"field2":2,"field3":"smth"} CRLF
{"field1":2,"field2":3,"field3":"smth"} CRLF
{"field1":3,"field2":4,"field3":"smth"}

Anyone have an idea about this problem?

0 Karma

Communicator

Can you show your sourcetype in props.conf ?

0 Karma

New Member

Unfortunately, I do not have access to the props.conf
We found that special characters are making trouble for the HEC such as: double quotes “ or é or è ...
Is there any solution to let the HEC accept those characters?

0 Karma

New Member

I don't know if this can help. In indexed data I found this : sourcetype = _json

0 Karma

Communicator

Which Splunk version are you using?

0 Karma

New Member

we are using splunk 6.5.3

0 Karma