Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to determine if data sent to HEC came in on Event or Raw endpoint

gn694
Communicator
‎04-23-2025 09:51 AM

Is there any way to tell whether data coming into Splunk's HEC was sent to the event or raw endpoint?
You can't really tell from looking at the events themselves, so I was hoping there was a way to tell based on something like the token, sourcetype, source, or host.

I have tried searching the _internal index and have not found anything helpful.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-23-2025 12:28 PM

Hi @gn694 

If you are on-prem then you can set the HttpInputDataHandler component to DEBUG mode (but dont do it for long!) - this will record the contents of HEC payloads in _internal which might help you work out if its raw or event endpoints.

Edit the log level via Settings->Server Settings->Server Logging - search for "HttpInputDataHandler" and change to DEBUG.

Shortly after you will get logs like this:

livehybrid_0-1745436446828.png

 

Search:

index=_internal sourcetype=splunkd log_level=debug  component=HttpInputDataHandler

In my example, the top one was using the event endpoint and the bottom using the raw endpoint.

The logs sent to the event endpoint will always have an "event" field in the body_chunk value, along with other fields like time/host/source etc.

Try this and let me know how you get on!

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎04-23-2025 02:57 PM

There is yet another thing which can sometimes hint at whether you're getting data onto one or the other endpoint. With the /event endpoint you can push indexed fields. So if you have some non-raw-based fields which obviously weren't extracted/calculated in the ingestion pipeline (but for this you'd have to dig through your index-time configs) that would singly suggest you're getting data via/event endpoint.

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-23-2025 12:28 PM

Hi @gn694 

If you are on-prem then you can set the HttpInputDataHandler component to DEBUG mode (but dont do it for long!) - this will record the contents of HEC payloads in _internal which might help you work out if its raw or event endpoints.

Edit the log level via Settings->Server Settings->Server Logging - search for "HttpInputDataHandler" and change to DEBUG.

Shortly after you will get logs like this:

livehybrid_0-1745436446828.png

 

Search:

index=_internal sourcetype=splunkd log_level=debug  component=HttpInputDataHandler

In my example, the top one was using the event endpoint and the bottom using the raw endpoint.

The logs sent to the event endpoint will always have an "event" field in the body_chunk value, along with other fields like time/host/source etc.

Try this and let me know how you get on!

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Solved! Jump to solution

gn694
Communicator
‎04-23-2025 10:27 AM

I was afraid of that.  Makes it hard for me because I don't have access to the source side of things for most things coming into HEC.

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-23-2025 10:08 AM

@gn694- I don't think there is any direct way or internal logs you can use this for this what you need.

Unless you can see the difference in data in terms of fields indexed OR you check on the source side.

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...