Getting Data In

Why can't I get past the following "handling indexed fields" error in a JSON input?

brutecat
Path Finder

Hi,

I am trying to load JSON data via cURL into an HTTP Event Collector. I know that I am reaching the service and getting a response, but it is always the same:

{"text":"Error in handling indexed fields","code":15,"invalid-event-number":0}

I execute it on Windows with the command:
curl -k "https://localhost:8088/services/collector" -H "Authorization: Splunk 41051b3a-6563-4bec-bd57-94fe1f73df8d" -d @%1

and I pass the name of the file which contains the following:

{"time":"2018-08-31T06:10:06.000","event":{"name":"AddShipments","number":"10"}}

I have declared a source type derived from JSON and indicated that the key for the timestamp is 'time'. This appears to work, but I simply cannot seem to get the data loaded.

Are there mandatory fields that I need to add? I should point out that I have tried adding 'index' and 'sourcetype'. This seems to work, but also seems superfluous as the token ID maps to these values. In any case, it does not help.

Or do I need to pre-define the JSON structure somehow? I though it could absorb any structure and you parse for what you need later with the spath command.

I am using Splunk 7.1.2. Community edition of Splunk Enterprise

Any advice would be most appreciated.

Thanks,

Stan

0 Karma
1 Solution

brutecat
Path Finder

Figured it out!

It needs to looks something like:

{"event" : [{(real event1)},{(real event2)}]}

The keyword 'event is mandatory and is not part of the json tree when it's loaded. You don't need index or sourcetype. If you leave out the timestamp, it says it loads, but it does not appear in the index. The keyword for the timestamp and the format can be set up in the sourcetype. The rest of the fields in the 'real events' can be anything and would be filtered by spath when you inspect the data.

Sorry if this wasted anyone's time

View solution in original post

brutecat
Path Finder

AND the keyword 'event' is case sensitive - so 'Event' does not work.

0 Karma

brutecat
Path Finder

Figured it out!

It needs to looks something like:

{"event" : [{(real event1)},{(real event2)}]}

The keyword 'event is mandatory and is not part of the json tree when it's loaded. You don't need index or sourcetype. If you leave out the timestamp, it says it loads, but it does not appear in the index. The keyword for the timestamp and the format can be set up in the sourcetype. The rest of the fields in the 'real events' can be anything and would be filtered by spath when you inspect the data.

Sorry if this wasted anyone's time

douglasmidgley
Engager

Indeed, also helped me. Just kept the event key with an array of events

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...