I'm ingesting data into Splunk via the HTTP Event Collector (HEC), but the data is wrapped inside a "data" key instead of "event". Splunk expects events inside the "event" key, and I'm getting the er...
See more...
I'm ingesting data into Splunk via the HTTP Event Collector (HEC), but the data is wrapped inside a "data" key instead of "event". Splunk expects events inside the "event" key, and I'm getting the error: Failed to send data: {"text":"No data","code":5} Here’s an example of the data I’m sending: { "data": { "timestamp": "2025-04-01T19:51:07.720Z", "userId": "", "userAgent": "Visual Studio Code/1.98.2 (Continue/1.0.5)", "selectedProfileId": "local", "eventName": "chatFeedback", "schema": "0.2.0", "prompt": "|>\n", "completion": "Sample completion text", "modelTitle": "Llama", "feedback": true, "sessionId": "c36c18eb-25e6-4448-b9b5-a50cdd2a0baa" } index="test" sourcetype="test:json" source="telemetry" } How can I transform incoming HEC data so that "data" is treated as "event" in Splunk? Is there a better way to handle this at the Splunk configuration level? Thanks in advance for any help! @ITWhisperer