Getting Data In

Why are source/host/sourcetype fields dropping through HEC?

Mels
Engager

I'm posting a json struct such as 

 

 

 

{
  "index": "test_metrics",
  "time": 1679920906.0,
  "event": "metric",
  "host": "myhostname",
  "source": "build.mybuildplan",
  "sourcetype": "trace_profile",
  "fields": {
    "metric_name:metric1": 1234,
    "metric_name:metric2": 1234,
    "metric_name:metric3": 1234,
    ...
    "metric_name:metricN": 1234
  }
}

 

 

 

I noticed that on our splunk enterprise server, I can successfully post it, but the source, host, and sourcetype fields are not visible in Splunk (version 9.0.1).

After some debugging on a local Splunk install I found that when I reduce N enough, these fields suddenly come through. Moreover, when I find the largest N for which these fields are shown properly and then make the name of the last metric longer (e.g. "metric_name:metricN_lorem_ipsum_etc"), it also starts to drop these fields. So it looks like it's related to the length of all metric names in the json combined?

My questions:
- Has anyone else experienced this?
- What's the magic limit I'm hitting here?
- Most importantly: Why can't I see any error message anywhere? It seems to be silently dropping some info. Is this a bug that could be fixed?

Labels (5)
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...