Getting Data In

Why can't I get past the following "handling indexed fields" error in a JSON input?

brutecat
Path Finder

Hi,

I am trying to load JSON data via cURL into an HTTP Event Collector. I know that I am reaching the service and getting a response, but it is always the same:

{"text":"Error in handling indexed fields","code":15,"invalid-event-number":0}

I execute it on Windows with the command:
curl -k "https://localhost:8088/services/collector" -H "Authorization: Splunk 41051b3a-6563-4bec-bd57-94fe1f73df8d" -d @%1

and I pass the name of the file which contains the following:

{"time":"2018-08-31T06:10:06.000","event":{"name":"AddShipments","number":"10"}}

I have declared a source type derived from JSON and indicated that the key for the timestamp is 'time'. This appears to work, but I simply cannot seem to get the data loaded.

Are there mandatory fields that I need to add? I should point out that I have tried adding 'index' and 'sourcetype'. This seems to work, but also seems superfluous as the token ID maps to these values. In any case, it does not help.

Or do I need to pre-define the JSON structure somehow? I though it could absorb any structure and you parse for what you need later with the spath command.

I am using Splunk 7.1.2. Community edition of Splunk Enterprise

Any advice would be most appreciated.

Thanks,

Stan

0 Karma
1 Solution

brutecat
Path Finder

Figured it out!

It needs to looks something like:

{"event" : [{(real event1)},{(real event2)}]}

The keyword 'event is mandatory and is not part of the json tree when it's loaded. You don't need index or sourcetype. If you leave out the timestamp, it says it loads, but it does not appear in the index. The keyword for the timestamp and the format can be set up in the sourcetype. The rest of the fields in the 'real events' can be anything and would be filtered by spath when you inspect the data.

Sorry if this wasted anyone's time

View solution in original post

brutecat
Path Finder

AND the keyword 'event' is case sensitive - so 'Event' does not work.

0 Karma

brutecat
Path Finder

Figured it out!

It needs to looks something like:

{"event" : [{(real event1)},{(real event2)}]}

The keyword 'event is mandatory and is not part of the json tree when it's loaded. You don't need index or sourcetype. If you leave out the timestamp, it says it loads, but it does not appear in the index. The keyword for the timestamp and the format can be set up in the sourcetype. The rest of the fields in the 'real events' can be anything and would be filtered by spath when you inspect the data.

Sorry if this wasted anyone's time

douglasmidgley
Engager

Indeed, also helped me. Just kept the event key with an array of events

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...