Why are source/host/sourcetype fields dropping thr...

Getting Data In

I'm posting a json struct such as

{
  "index": "test_metrics",
  "time": 1679920906.0,
  "event": "metric",
  "host": "myhostname",
  "source": "build.mybuildplan",
  "sourcetype": "trace_profile",
  "fields": {
    "metric_name:metric1": 1234,
    "metric_name:metric2": 1234,
    "metric_name:metric3": 1234,
    ...
    "metric_name:metricN": 1234
  }
}

I noticed that on our splunk enterprise server, I can successfully post it, but the source, host, and sourcetype fields are not visible in Splunk (version 9.0.1).

After some debugging on a local Splunk install I found that when I reduce N enough, these fields suddenly come through. Moreover, when I find the largest N for which these fields are shown properly and then make the name of the last metric longer (e.g. "metric_name:metricN_lorem_ipsum_etc"), it also starts to drop these fields. So it looks like it's related to the length of all metric names in the json combined?

My questions:
- Has anyone else experienced this?
- What's the magic limit I'm hitting here?
- Most importantly: Why can't I see any error message anywhere? It seems to be silently dropping some info. Is this a bug that could be fixed?

Get Updates on the Splunk Community!

Why are source/host/sourcetype fields dropping through HEC?

host

HTTP Event Collector

JSON

source

sourcetype

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Community Spotlight: A Splunk Expert's Journey

Are you a member of the Splunk Community?

Why are source/host/sourcetype fields dropping through HEC?