HEC _raw sourcetype - Splunk Community

Security

Hi,

I have a raw HEC set up as follows (no sourcetype set):

[http://aiwa_request_input]
disabled = 0
index = test
indexes = test
sourcetype =
token = xxxxxxx-xxx-x-x-xx

When I put an event into it and specify the sourcetype in the event it gets indexed as two sourcetypes; httpevent and "my" sourcetype "aiwa:request".

host = aiwa3dev-aiwa3-dev.cumulus.sebank.seindex = testlinecount = 1punct = {"":"--::.","":"","":":","":{"":"","":"","":{"":""source = http:aiwa_request_inputsourcetype = httpevent sourcetype = aiwa:requestsplunk_server = lsp7150c.sebank.se

From above: sourcetype = httpevent sourcetype = aiwa:request

How can I change this to only be the ST in the event itself.
My props & transforms are blank.

Cheers
/F

Did you manage to fix this. I also get two sourceTypes: httpEvent and aws:cloudTrail

The problem this is causing me is that I somehow end up with events with TWO sourcetypes, as it seems.

When i search: index=test sourcetype="aiwa:request"
I don't get a match.

But when i do: index=test sourcetype="httpevent"
I DO get a match.

Really confusing, as it looks like the event has BOTH souretypes.
I am posting the event to HEC raw endpoint with sourcetype set to "aiwa:request".

Is this expected behavior?

1 KB

Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability In the realm of IT operations, the ...