HTTP Event Collector do not completly index data

nanapark · ‎06-25-2018

While trying to index data using the HTTP Event Collector, I got some data loss, especially in the last row.
Data format used is the following:

Multiple lines separated by CRLF
encode UTF-8
Data's format : flat JSON

Example:
{"field1":1,"field2":2,"field3":"smth"} CRLF
{"field1":2,"field2":3,"field3":"smth"} CRLF
{"field1":3,"field2":4,"field3":"smth"}

Anyone have an idea about this problem?

amiftah · ‎06-25-2018

Can you show your sourcetype in props.conf ?

nanapark · ‎06-26-2018

Unfortunately, I do not have access to the props.conf
We found that special characters are making trouble for the HEC such as: double quotes “ or é or è ...
Is there any solution to let the HEC accept those characters?

nanapark · ‎06-26-2018

I don't know if this can help. In indexed data I found this : sourcetype = _json

amiftah · ‎06-26-2018

Which Splunk version are you using?

nanapark · ‎06-27-2018

we are using splunk 6.5.3

HTTP Event Collector do not completly index data

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!