Tell me, is this message format possible for sending to splunk:
curl --location --request POST 'http://170.25.25.25:8088/services/collector/event' --header 'Authorization: Splunk ееееее-еееееееее-ееееее-e6fc' --header 'Content-Type: text/plain' --data-raw '{
"messageId": "<ED280816-E404-444A-A2D9-FFD2D171F928>",
"srcMsgId": "<rwfsdfsfqwe121432gsgsfgdg>",
"correlationMsgId": "<rwfsdfsfqwe135432gsgsfgdg>",
"baseSystemId": "<SDS-IN>",
"routeInstanceId": "<TPKSABS-SMEV>",
"routepointID": "<1.SABS-GIS.TO.KBR.SEND>",
"eventTime": "<1985-04-12T23:20:50>",
"messageType": "<ED123>",
"GISGMPResponseID": "<PS000BA780816-E404-444A-A2D9-FFD2D1712345>",
"GISGMPRequestID": "<PS000BA780816-E404-444A-A2D9-FFD2D1712344>",
"tid": "<ED280816-E404-444A-A2D9-FFD2D171F900>",
"PacketGISGMPId": "<7642341379_20220512_123456789>",
"result.code": "<400>",
"result.desc": "<Ошибка: абвгд>"
}'
Without fields:
"event" and "fields"
Using only custom fields?
hi metylkinandrey,
you can send your custom message via without 'fields' and 'event'.
instead of sending it like in your example to:
/services/collector/event
just send it to:
/services/collector/raw
see: https://docs.splunk.com/Documentation/Splunk/latest/Data/FormateventsforHTTPEventCollector
best regards,
Andreas
hi metylkinandrey,
you can send your custom message via without 'fields' and 'event'.
instead of sending it like in your example to:
/services/collector/event
just send it to:
/services/collector/raw
see: https://docs.splunk.com/Documentation/Splunk/latest/Data/FormateventsforHTTPEventCollector
best regards,
Andreas
It seems to be what you need! Thank you!