I want to try to inputting a simple event to HTTP event collector just to test if it works. I think it was able to find the web address and also authenticate it with the token value. But I get an error with the invalid data format. What can I do to fix it?
I have the following command:
curl -k -H "Authorization: Splunk B86C5445-76D4-4FAF-A0FA-D8FE2FA49F79" https://localhost:8088/services/collector/event -d '{"event":"testing"}'
With the following result:
{"text":"Invalid data format","code":6,"invalid-event-number":0}
Just replace event by raw like this:
curl -k https://localhost:8088/services/collector/raw -H "Authorization: Splunk 65652e8c-443d-42b6-9b75-02657b215665" -d '{"event":"This is test http event collector"}'
You can find the answer from this link:
https://medium.com/adarma-tech-blog/splunk-http-event-collectors-explained-2c22e87ab8d2,Just replace event by raw like this:
curl -k https://localhost:8088/services/collector/raw -H "Authorization: Splunk 65652e8c-443d-42b6-9b75-02657b215665" -d '{"event":"This is test http event collector"}'
I found this answer from following link:
https://medium.com/adarma-tech-blog/splunk-http-event-collectors-explained-2c22e87ab8d2
Was getting similar errors too. Adding the /raw in my curl statement resolved the issue.
I know this is an old post, but it seems that there isn't a good answer to this question, so I felt I should share after recently experiencing the same error.
The error is in my experience is indicative of a formatting issue or expected key / value pairs that are missing in or with your data. I would inspect the data for unexpected characters, white space's, etc as well. An example: I ran into this issue, and when inspecting the format of the data there were white spaces between colons that separate k/v pairs:
Example of data where I saw this error. Although not apparent, there are white spaces between the key: value. When I removed the white spaces, I was able to successfully send the data:
(NOTE: This is metric data going to a metric index).
"{
"source": "t_e_api",
"host": "server1,
"event": "metric",
"fields":
{
"ftpTimeLimit": "1",
"group": "",
"metric_name": "c_u_used",
"agents": "",
"accountGroupName": "Is1",
"url": "",
"type": "1",
"interval":"4",
"enabled":"1",
"testName": "test1",
"_value": 3022222,
"sipTimeLimit": "1",
"httpTimeLimit": "3",
"aid": 170000,
"pageLoadTimeLimit": "7",
"test_id": 110101,
"testType": "Web - HTTP Server"
},
"time": 1571420739
}"
This adjustment (removal of white spaces) fixed the issue:
"{
"source":"t_e_api",
"host":"server1,
"event":"metric",
"fields":
{
"ftpTimeLimit":"1",
"group":"",
"metric_name":"c_u_used",
"agents":"",
"accountGroupName":"Is1",
"url":"",
"type":"1",
"interval":"4",
"enabled":"1",
"testName":"test1",
"_value":3022222,
"sipTimeLimit":"1",
"httpTimeLimit":"3",
"aid":170000,
"pageLoadTimeLimit":"7",
"test_id":110101,
"testType":"Web - HTTP Server"
},
"time":1571420739
}"
Need to add sourcetype in your event like {"event":"testing", "sourcetype": "st"}
Why the duplicate post? You already had a thread going... Anyways, try escaping the double quotes (curl may not like it the way it is):
curl -k -H "Authorization: Splunk B86C5445-76D4-4FAF-A0FA-D8FE2FA49F79" https://localhost:8088/services/collector/event -d '{\"event\":\"testing\"}'
I still have the same error 😞
For the record, this one worked for us -
curl "https://<HEC service>:443/services/collector/event" -H "Authorization: Splunk f5b9eac2-7319-4dfb-80d0-86f44a9785cd" -k -d "{\"host\":\"xxxx\",\"sourcetype\":\"test_hec\",\"source\":\"test\",\"event\":{\"message\":\"ERROR\",\"code\":\"401\"}}"