Getting Data In

Why events is not broken down correctly in HEC raw mode?

wcui_splunk
Splunk Employee
Splunk Employee

Hi, I'm investigating to use HEC raw mode to index some data. In my case I want to stream the data with multiple HTTP requests with a fixed channel ID, because the client never changed. My splunk server version is 6.4.3.

I'm using the bellow python code to test the HEC behavior, and result is the same as using cURL or postman.
#!/usr/bin/env python

import requests
import uuid
import time

data = "2017-01-01T12:00:00Z, a=b\n2017-01-01T12:00:01Z, b=c\n"
headers = {"Authorization" : "Splunk EB49F64A-6487-4F87-8EFF-3209CD22CC50"}
params = {"sourcetype":"pythontest", "source": "pythontest2"}

def sendInSession():
       params.update({"channel": str(uuid.uuid4()).upper()})
       r = requests.Request('POST', 'https://dbx.splunk.dev:8088/services/collector/raw', data=data, params=params, headers=headers)

       with requests.Session() as s:
            r_p = s.prepare_request(r)
            print s.send(r_p, verify=False).content
            time.sleep(3)

            print s.send(r_p, verify=False).content
            time.sleep(3)

I'm using session here to reuse the same connection, and two HTTP requests were made to splunkd. Looks like the data was correctly indexed for the first request, while the events of second request were not broken up correctly.

You can see the result here:
alt text

My question is:
Why the same data results different fields breaking result in splunk if using the same channel ID?

Tags (1)
0 Karma

yannK
Splunk Employee
Splunk Employee

Try to setup a strict parsing rule for linebreaking for the sourcetype "pythontest"
on the indexers (or heavy forwarders)

0 Karma

wcui_splunk
Splunk Employee
Splunk Employee

Thank you. I think it's probably not the root cause, otherwise the event can not be broken correctly at first.
And my testing shows:
1) If I change the channel id for every HTTP request, then line breaking works correctly.
2) This code just works for 6.5.3, so maybe it's a bug in 6.4.3. Anyone can confirm?

0 Karma

ybongart_splunk
Splunk Employee
Splunk Employee

I was not able to reproduce this in v7 either.

0 Karma

fabiocaldas
Contributor

I'm using Splunk7 and I'm also having this problem

0 Karma

starcher
Influencer

In raw mode all event breaking is going to happen at the HF receiving it. You might want to trouble shoot there especially if you are batching the data. You could also use my python class which has this threaded.
https://github.com/georgestarcher/Splunk-Class-httpevent

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...