Getting Data In

How do you send a raw HTTP Event Collector (HEC) value that contains a space?

TonyLeeVT
Builder

I am trying to send raw HEC messages and have Splunk auto parse the key/value pair. For example, the following curl statement results in a field called foo with a value of bar... and a field called apple and a value of red:

curl -k  https://HOST:PORT/services/collector/raw -H "Authorization: Splunk TOKEN" -d '"foo=bar, apple=red"'

However, if I want to send a value with a space, such as apple=very red, it breaks down. Single ticks don't work, escaped quotes don't work, and no quotes doesn't work:

curl -k  https://HOST:PORT/services/collector/raw -H "Authorization: Splunk TOKEN" -d '"foo=bar, apple=\"very red\""'

This must be possible. Hopefully others have run into it. Thanks in advance!

0 Karma

ccloutier_splun
Splunk Employee
Splunk Employee

Have you tried using URL Encoding?

As an example, you could POST a name to have it encoded by curl:

curl --data-urlencode "apple=very red" http://example.com
…which would send the following data in the actual request body:

apple=very%20red

The following site has a full explanation and examples of this with curl: https://ec.haxx.se/http-post.html

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...