Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- HTTP event collector -- error with data format?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HTTP event collector -- error with data format?
tamduong16
Contributor
09-20-2017
02:18 PM
I want to try to inputting a simple event to HTTP event collector just to test if it works. I think it was able to find the web address and also authenticate it with the token value. But I get an error with the invalid data format. What can I do to fix it?
I have the following command:
curl -k -H "Authorization: Splunk B86C5445-76D4-4FAF-A0FA-D8FE2FA49F79" https://localhost:8088/services/collector/event -d '{"event":"testing"}'
With the following result:
{"text":"Invalid data format","code":6,"invalid-event-number":0}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anupagazi
Engager
04-09-2020
09:10 PM
Just replace event by raw like this:
curl -k https://localhost:8088/services/collector/raw -H "Authorization: Splunk 65652e8c-443d-42b6-9b75-02657b215665" -d '{"event":"This is test http event collector"}'
You can find the answer from this link:
https://medium.com/adarma-tech-blog/splunk-http-event-collectors-explained-2c22e87ab8d2,Just replace event by raw like this:
curl -k https://localhost:8088/services/collector/raw -H "Authorization: Splunk 65652e8c-443d-42b6-9b75-02657b215665" -d '{"event":"This is test http event collector"}'
I found this answer from following link:
https://medium.com/adarma-tech-blog/splunk-http-event-collectors-explained-2c22e87ab8d2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NKB
Engager
02-26-2024
06:51 PM
Was getting similar errors too. Adding the /raw in my curl statement resolved the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
damiensurat
Contributor
10-21-2019
06:14 AM
I know this is an old post, but it seems that there isn't a good answer to this question, so I felt I should share after recently experiencing the same error.
The error is in my experience is indicative of a formatting issue or expected key / value pairs that are missing in or with your data. I would inspect the data for unexpected characters, white space's, etc as well. An example: I ran into this issue, and when inspecting the format of the data there were white spaces between colons that separate k/v pairs:
Example of data where I saw this error. Although not apparent, there are white spaces between the key: value. When I removed the white spaces, I was able to successfully send the data:
(NOTE: This is metric data going to a metric index).
"{
"source": "t_e_api",
"host": "server1,
"event": "metric",
"fields":
{
"ftpTimeLimit": "1",
"group": "",
"metric_name": "c_u_used",
"agents": "",
"accountGroupName": "Is1",
"url": "",
"type": "1",
"interval":"4",
"enabled":"1",
"testName": "test1",
"_value": 3022222,
"sipTimeLimit": "1",
"httpTimeLimit": "3",
"aid": 170000,
"pageLoadTimeLimit": "7",
"test_id": 110101,
"testType": "Web - HTTP Server"
},
"time": 1571420739
}"
This adjustment (removal of white spaces) fixed the issue:
"{
"source":"t_e_api",
"host":"server1,
"event":"metric",
"fields":
{
"ftpTimeLimit":"1",
"group":"",
"metric_name":"c_u_used",
"agents":"",
"accountGroupName":"Is1",
"url":"",
"type":"1",
"interval":"4",
"enabled":"1",
"testName":"test1",
"_value":3022222,
"sipTimeLimit":"1",
"httpTimeLimit":"3",
"aid":170000,
"pageLoadTimeLimit":"7",
"test_id":110101,
"testType":"Web - HTTP Server"
},
"time":1571420739
}"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chli_splunk
Splunk Employee
09-06-2018
10:08 AM
Need to add sourcetype in your event like {"event":"testing", "sourcetype": "st"}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
s2_splunk
Splunk Employee
09-20-2017
06:51 PM
Why the duplicate post? You already had a thread going... Anyways, try escaping the double quotes (curl may not like it the way it is):
curl -k -H "Authorization: Splunk B86C5445-76D4-4FAF-A0FA-D8FE2FA49F79" https://localhost:8088/services/collector/event -d '{\"event\":\"testing\"}'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tamduong16
Contributor
09-21-2017
07:15 AM
I still have the same error 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
05-31-2019
01:27 PM
For the record, this one worked for us -
curl "https://<HEC service>:443/services/collector/event" -H "Authorization: Splunk f5b9eac2-7319-4dfb-80d0-86f44a9785cd" -k -d "{\"host\":\"xxxx\",\"sourcetype\":\"test_hec\",\"source\":\"test\",\"event\":{\"message\":\"ERROR\",\"code\":\"401\"}}"
Get Updates on the Splunk Community!
Good Sourcetype Naming
When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Splunk App for Anomaly Detection End of Life Announcement
Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
