Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

HTTP event collector -- error with data format?

tamduong16
Contributor
‎09-20-2017 02:18 PM

I want to try to inputting a simple event to HTTP event collector just to test if it works. I think it was able to find the web address and also authenticate it with the token value. But I get an error with the invalid data format. What can I do to fix it?
I have the following command:
curl -k -H "Authorization: Splunk B86C5445-76D4-4FAF-A0FA-D8FE2FA49F79" https://localhost:8088/services/collector/event -d '{"event":"testing"}'
With the following result:
{"text":"Invalid data format","code":6,"invalid-event-number":0}

0 Karma
Reply

anupagazi
Engager
‎04-09-2020 09:10 PM

Just replace event by raw like this:
curl -k https://localhost:8088/services/collector/raw -H "Authorization: Splunk 65652e8c-443d-42b6-9b75-02657b215665" -d '{"event":"This is test http event collector"}'
You can find the answer from this link:
https://medium.com/adarma-tech-blog/splunk-http-event-collectors-explained-2c22e87ab8d2,Just replace event by raw like this:
curl -k https://localhost:8088/services/collector/raw -H "Authorization: Splunk 65652e8c-443d-42b6-9b75-02657b215665" -d '{"event":"This is test http event collector"}'
I found this answer from following link:
https://medium.com/adarma-tech-blog/splunk-http-event-collectors-explained-2c22e87ab8d2

Reply

NKB
Engager
‎02-26-2024 06:51 PM

Was getting similar errors too. Adding the /raw in my curl statement resolved the issue.

0 Karma
Reply

damiensurat
Contributor
‎10-21-2019 06:14 AM

I know this is an old post, but it seems that there isn't a good answer to this question, so I felt I should share after recently experiencing the same error.
The error is in my experience is indicative of a formatting issue or expected key / value pairs that are missing in or with your data. I would inspect the data for unexpected characters, white space's, etc as well. An example: I ran into this issue, and when inspecting the format of the data there were white spaces between colons that separate k/v pairs:

Example of data where I saw this error. Although not apparent, there are white spaces between the key: value. When I removed the white spaces, I was able to successfully send the data:
(NOTE: This is metric data going to a metric index).

"{
"source": "t_e_api",
"host": "server1,
"event": "metric",
"fields":
{
"ftpTimeLimit": "1",
"group": "",
"metric_name": "c_u_used",
"agents": "",
"accountGroupName": "Is1",
"url": "",
"type": "1",
"interval":"4",
"enabled":"1",
"testName": "test1",
"_value": 3022222,
"sipTimeLimit": "1",
"httpTimeLimit": "3",
"aid": 170000,
"pageLoadTimeLimit": "7",
"test_id": 110101,
"testType": "Web - HTTP Server"
},
"time": 1571420739
}"

This adjustment (removal of white spaces) fixed the issue:
"{
"source":"t_e_api",
"host":"server1,
"event":"metric",
"fields":
{
"ftpTimeLimit":"1",
"group":"",
"metric_name":"c_u_used",
"agents":"",
"accountGroupName":"Is1",
"url":"",
"type":"1",
"interval":"4",
"enabled":"1",
"testName":"test1",
"_value":3022222,
"sipTimeLimit":"1",
"httpTimeLimit":"3",
"aid":170000,
"pageLoadTimeLimit":"7",
"test_id":110101,
"testType":"Web - HTTP Server"
},
"time":1571420739
}"

0 Karma
Reply

chli_splunk
Splunk Employee
Splunk Employee
‎09-06-2018 10:08 AM

Need to add sourcetype in your event like {"event":"testing", "sourcetype": "st"}

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-20-2017 06:51 PM

Why the duplicate post? You already had a thread going... Anyways, try escaping the double quotes (curl may not like it the way it is):

curl -k -H "Authorization: Splunk B86C5445-76D4-4FAF-A0FA-D8FE2FA49F79" https://localhost:8088/services/collector/event -d '{\"event\":\"testing\"}'
0 Karma
Reply

tamduong16
Contributor
‎09-21-2017 07:15 AM

I still have the same error 😞

0 Karma
Reply

ddrillic
Ultra Champion
‎05-31-2019 01:27 PM

For the record, this one worked for us -

curl "https://<HEC service>:443/services/collector/event" -H "Authorization: Splunk f5b9eac2-7319-4dfb-80d0-86f44a9785cd" -k -d "{\"host\":\"xxxx\",\"sourcetype\":\"test_hec\",\"source\":\"test\",\"event\":{\"message\":\"ERROR\",\"code\":\"401\"}}"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...