Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is linemerging not working with Http Event Collector (HEC)?

yarinm
Explorer
‎11-06-2018 05:52 AM

Hey,

We're trying to use Splunk HEC (+fluentd) and our existing linemerge rules aren't applied to events pushed using HEC.
We have a Splunk forwarder that pushes the same data and the linemerge rules properly applied to them.

Am I missing anything? Does HEC ignore merge rules ?

Reply

marycordova
SplunkTrust
SplunkTrust
‎11-06-2018 11:42 AM

Are you sending JSON data or "raw" data? I have JSON data that is a little off, so it uses the raw endpoint instead and I set the KV_MODE to json in props.conf.

http://docs.splunk.com/Documentation/Splunk/7.2.0/Data/FormateventsforHTTPEventCollector#Event_parsi...

http://docs.splunk.com/Documentation/Splunk/7.2.0/RESTREF/RESTinput#services.2Fcollector.2Fraw

Also...there are some things you cannot do on a Universal Forwarder that you can on a Heavy Forwarder regarding props and transforms.

So:

  1. maybe try a Heavy Forwarder
  2. maybe try the raw HEC and a combination of props settings (also on a Heavy Forwarder?)
@marycordova
0 Karma
Reply

yarinm
Explorer
‎11-06-2018 11:33 PM

@marycordovacaa The current official plugin by splunk for fluentd doesn't support the raw API https://github.com/splunk/fluent-plugin-splunk-hec

We're currently sending using the /event endpoint.

After some testing, if I use the raw endpoint (and batch the events) together the LINEMERGE rule applies. If I use the event endpoint (with batching) it ignores it completely. I was afraid that I'll have to resort to merging the lines with fluentd..

Any other suggestions?

0 Karma
Reply

marycordova
SplunkTrust
SplunkTrust
‎11-07-2018 10:09 AM

Doesn't using the raw endpoint solve your problem? Can you just use that or does some other issue arise?

@marycordova
0 Karma
Reply

yarinm
Explorer
‎11-07-2018 12:56 PM

The official splunk-hec fluentd plugin doesn't support the /raw endpoint at the moment..

0 Karma
Reply

marycordova
SplunkTrust
SplunkTrust
‎11-07-2018 04:30 PM

maybe submit a feature request or a bug...i dont know if its trivial to edit the plugin to use the raw endpoint or not...and then of course updates could be likely to break the customization

@marycordova
0 Karma
Reply

benazir
Explorer
‎09-18-2019 01:19 AM

does anyone fix this issue?

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...