Hello,
I am trying to post events through HEC like so :
{
"host": "my_host",
"sourcetype": "my_source_type",
"time": 15617254748.888,
"event": {
"event": "my_event_name",
"source": "my_source",
"message": "My message"
}
}
Unfortunately, I cannot find these events in my index, and this seems to be due to the presence of the inner field event.
Is there a way to pass the event name inside the event object?
@fmathis ,
It depends on your implementation but I was able to send a json with event in the message programmatically as well as using simple curl.
curl -k -H "Authorization: Splunk my_splunk_token" https://my_splunk_host:hec_port/services/collector/event -d '{"sourcetype": "_json", "event": "{\"event\":\"my_event\",\"message\":\"This message has event name\"}"}'
Result
From your event above, looks like the timestamp is a future one. You may try searching the default index configured with the token and also probably for "All Time"
@fmathis ,
It depends on your implementation but I was able to send a json with event in the message programmatically as well as using simple curl.
curl -k -H "Authorization: Splunk my_splunk_token" https://my_splunk_host:hec_port/services/collector/event -d '{"sourcetype": "_json", "event": "{\"event\":\"my_event\",\"message\":\"This message has event name\"}"}'
Result
From your event above, looks like the timestamp is a future one. You may try searching the default index configured with the token and also probably for "All Time"
Thanks a lot for your answer, I must have been fooled by the timestamp !
The thing is, I could never find an exemple of sending an event field inside the event object, so I started doubting that might be possible.
Thanks again !