Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to determine if data sent to HEC came in on Event or Raw endpoint

gn694
Communicator
‎04-23-2025 09:51 AM

Is there any way to tell whether data coming into Splunk's HEC was sent to the event or raw endpoint?
You can't really tell from looking at the events themselves, so I was hoping there was a way to tell based on something like the token, sourcetype, source, or host.

I have tried searching the _internal index and have not found anything helpful.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-23-2025 12:28 PM

Hi @gn694 

If you are on-prem then you can set the HttpInputDataHandler component to DEBUG mode (but dont do it for long!) - this will record the contents of HEC payloads in _internal which might help you work out if its raw or event endpoints.

Edit the log level via Settings->Server Settings->Server Logging - search for "HttpInputDataHandler" and change to DEBUG.

Shortly after you will get logs like this:

livehybrid_0-1745436446828.png

 

Search:

index=_internal sourcetype=splunkd log_level=debug  component=HttpInputDataHandler

In my example, the top one was using the event endpoint and the bottom using the raw endpoint.

The logs sent to the event endpoint will always have an "event" field in the body_chunk value, along with other fields like time/host/source etc.

Try this and let me know how you get on!

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎04-23-2025 02:57 PM

There is yet another thing which can sometimes hint at whether you're getting data onto one or the other endpoint. With the /event endpoint you can push indexed fields. So if you have some non-raw-based fields which obviously weren't extracted/calculated in the ingestion pipeline (but for this you'd have to dig through your index-time configs) that would singly suggest you're getting data via/event endpoint.

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-23-2025 12:28 PM

Hi @gn694 

If you are on-prem then you can set the HttpInputDataHandler component to DEBUG mode (but dont do it for long!) - this will record the contents of HEC payloads in _internal which might help you work out if its raw or event endpoints.

Edit the log level via Settings->Server Settings->Server Logging - search for "HttpInputDataHandler" and change to DEBUG.

Shortly after you will get logs like this:

livehybrid_0-1745436446828.png

 

Search:

index=_internal sourcetype=splunkd log_level=debug  component=HttpInputDataHandler

In my example, the top one was using the event endpoint and the bottom using the raw endpoint.

The logs sent to the event endpoint will always have an "event" field in the body_chunk value, along with other fields like time/host/source etc.

Try this and let me know how you get on!

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Solved! Jump to solution

gn694
Communicator
‎04-23-2025 10:27 AM

I was afraid of that.  Makes it hard for me because I don't have access to the source side of things for most things coming into HEC.

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-23-2025 10:08 AM

@gn694- I don't think there is any direct way or internal logs you can use this for this what you need.

Unless you can see the difference in data in terms of fields indexed OR you check on the source side.

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...