Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why can't I get past the following "handling indexed fields" error in a JSON input?

brutecat
Path Finder
‎12-03-2018 07:05 AM

Hi,

I am trying to load JSON data via cURL into an HTTP Event Collector. I know that I am reaching the service and getting a response, but it is always the same:

{"text":"Error in handling indexed fields","code":15,"invalid-event-number":0}

I execute it on Windows with the command:
curl -k "https://localhost:8088/services/collector" -H "Authorization: Splunk 41051b3a-6563-4bec-bd57-94fe1f73df8d" -d @%1

and I pass the name of the file which contains the following:

{"time":"2018-08-31T06:10:06.000","event":{"name":"AddShipments","number":"10"}}

I have declared a source type derived from JSON and indicated that the key for the timestamp is 'time'. This appears to work, but I simply cannot seem to get the data loaded.

Are there mandatory fields that I need to add? I should point out that I have tried adding 'index' and 'sourcetype'. This seems to work, but also seems superfluous as the token ID maps to these values. In any case, it does not help.

Or do I need to pre-define the JSON structure somehow? I though it could absorb any structure and you parse for what you need later with the spath command.

I am using Splunk 7.1.2. Community edition of Splunk Enterprise

Any advice would be most appreciated.

Thanks,

Stan

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

brutecat
Path Finder
‎12-04-2018 04:36 AM

Figured it out!

It needs to looks something like:

{"event" : [{(real event1)},{(real event2)}]}

The keyword 'event is mandatory and is not part of the json tree when it's loaded. You don't need index or sourcetype. If you leave out the timestamp, it says it loads, but it does not appear in the index. The keyword for the timestamp and the format can be set up in the sourcetype. The rest of the fields in the 'real events' can be anything and would be filtered by spath when you inspect the data.

Sorry if this wasted anyone's time

View solution in original post

Reply
Solved! Jump to solution

brutecat
Path Finder
‎12-04-2018 05:16 AM

AND the keyword 'event' is case sensitive - so 'Event' does not work.

0 Karma
Reply
Solved! Jump to solution
Solution

brutecat
Path Finder
‎12-04-2018 04:36 AM

Figured it out!

It needs to looks something like:

{"event" : [{(real event1)},{(real event2)}]}

The keyword 'event is mandatory and is not part of the json tree when it's loaded. You don't need index or sourcetype. If you leave out the timestamp, it says it loads, but it does not appear in the index. The keyword for the timestamp and the format can be set up in the sourcetype. The rest of the fields in the 'real events' can be anything and would be filtered by spath when you inspect the data.

Sorry if this wasted anyone's time

Reply
Solved! Jump to solution

douglasmidgley
Engager
‎11-19-2021 02:11 PM

Indeed, also helped me. Just kept the event key with an array of events

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...