Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to convert "data" Field to "event" in Splunk H...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm ingesting data into Splunk via the HTTP Event Collector (HEC), but the data is wrapped inside a "data" key instead of "event". Splunk expects events inside the "event" key, and I'm getting the error:
Failed to send data: {"text":"No data","code":5}
Here’s an example of the data I’m sending:
{
"data": {
"timestamp": "2025-04-01T19:51:07.720Z",
"userId": "",
"userAgent": "Visual Studio Code/1.98.2 (Continue/1.0.5)",
"selectedProfileId": "local",
"eventName": "chatFeedback",
"schema": "0.2.0",
"prompt": "|>\n",
"completion": "Sample completion text",
"modelTitle": "Llama",
"feedback": true,
"sessionId": "c36c18eb-25e6-4448-b9b5-a50cdd2a0baa"
}
index="test"
sourcetype="test:json"
source="telemetry"
}How can I transform incoming HEC data so that "data" is treated as "event" in Splunk? Is there a better way to handle this at the Splunk configuration level?
Thanks in advance for any help!
@ITWhisperer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @bhavesh0124
Im not able to test this directly at the moment, but the following might work for you!
== props.conf ==
[yourSourcetypeName]
TRANSFORMS-extractRaw = extractHECRaw
== transforms.conf ==
[extractHECRaw]
INGEST_EVAL = _raw:=json_extract(_raw,"data")This should extract the data section of the JSON and assign it to _raw. If you need to extract the index/source then you can do this before setting the new _raw value.
🌟 Did this answer help you? If so, please consider:
- Adding kudos to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thankyou for your prompt response.
I have no control over the source JSON unfortunately.
I tried sending it inside the raw HEC endpoint. It works flawlessly. However the data shows up like this nested json. Any way to make it nice and tidy?
{ [-]
data: { [-]
message: This is New test
severity: info
}
index: test
sourcetype: test:json
source: telemetry
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @bhavesh0124
Im not able to test this directly at the moment, but the following might work for you!
== props.conf ==
[yourSourcetypeName]
TRANSFORMS-extractRaw = extractHECRaw
== transforms.conf ==
[extractHECRaw]
INGEST_EVAL = _raw:=json_extract(_raw,"data")This should extract the data section of the JSON and assign it to _raw. If you need to extract the index/source then you can do this before setting the new _raw value.
🌟 Did this answer help you? If so, please consider:
- Adding kudos to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thankyou ! From your help I made it work with alternate solution.
Props.conf
[sourcetype]
TRANSFORMS-extract_data = rename_data_to_event
Transform.conf
[rename_data_to_event]
REGEX = "data":\s*({.*?})
FORMAT = $1
WRITE_META= true
DEST_KEY = _rawreally Appreicate your help @livehybrid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @bhavesh0124
Are you able to reconfigure the source so that it sends with an "event" key instead of "data"?
That JSON structure is almost correct for the event HEC endpoint, meaning it will use the index/sourcetype/source values etc in the JSON payload and the index the "event" key as the _raw field.
If you arent able to correct this at source then you will need to use the "raw" HEC endpoint and then do a chunky amount of props/transforms to extract the relevant index/source/sourcetype from the event and re-write the data content into the _raw field...
This is less than ideal but possible but may well be easier to adjust the source which is sending it incorrectly?
Check out Format events for HTTP Event Collector
🌟 Did this answer help you? If so, please consider:
- Adding kudos to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thankyou for your prompt response. @livehybrid
I have no control over the source JSON unfortunately.
I tried sending it inside the raw HEC endpoint. It works flawlessly. However the data shows up like this nested json. Any way to make it nice and tidy?
{ [-]
data: { [-]
message: This is New test
severity: info
}
index: test
sourcetype: test:json
source: telemetry
}
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
