Been struggling for a while on this one.
On-prem Splunk Enterprise. v9.1.2, running on CentOS 7.9
--
Just trying to find a consistent way to be able to upload log files through HTTP Event Collector (HEC) tokens. I found the whole RAW vs JSON thing confusing at first and thought the only way to be able to specify/override values like host, sourcetype, etc. was to package up my log file in the JSON format.
Discovered today that you can specify those values in the RAW url, like so:
https://mysplunkinstance.com:8088/services/collector/raw?host=myserver&sourcetype=linux_server
which was encouraging. It seemed to work.
And I think I've gotten further ahead. I now have this effectively, as my curl command running in a bash script:
curl -k https://mysplunkinstance.com:8088/services/collector/raw?host=myserver&sourcetype=linux_server -H "Authorization: Splunk <hec_token>" -H "Content-type: plain/text" -X 'POST' -d "@${file}"
Happy to report that I now see the log data.
However, it only seems happy if its a single line log. When I give it a log file with more lines, it just jumbles it all together. I thought it would honour the configuration rules we have programmed for sourcetype=linux_secure (from community add-ons and our own updates) but it doesn't. Loading the same file through Settings -> Add Data has no problem properly line-breaking per the configuration.
I'm guessing there is something I am missing then in how one is meant to send RAW log files through HEC?
