What is causing json messages to not always be ind...

dhuynh · ‎06-12-2023

Hi everyone,

For one of our client we are sending in json log data via log4j2 to the splunk cloud HEC token.

we are using the /event/collector/raw endpoint.

What I notice is that the fields are not extracted consistently. We do not see any pattern in our process so we cannot pinpoint the exact location of the issue.

I am using the following source type with its configs:

Hopefully can someone see what might cause this issue.

Thankyou in advanced.

Duy

nyc_jason · ‎06-12-2023

Hello dhuynh, there are a few possible reasons this could be happening. First, please check for payload character set issues (such as non UTF-8 characters, which can cause JSON to break. Also, check the splunk logs for errors. You can find HEC parsing errors in the _introspection index.

dhuynh · ‎06-13-2023

@nyc_jason thankyou for your fast reply.

when checking the _introspection index I dont see any parsing error. Everything gets parsed correctly. what is weird is that it happens randomly. so when I rerun the process again then the data might be parsed correctly.

What is causing json messages to not always be indexed?

HTTP Event Collector

JSON

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Join the Conversation