Re: HTTP Event Collector do not completly index da...

nanapark · ‎06-25-2018

While trying to index data using the HTTP Event Collector, I got some data loss, especially in the last row.
Data format used is the following:

Multiple lines separated by CRLF
encode UTF-8
Data's format : flat JSON

Example:
{"field1":1,"field2":2,"field3":"smth"} CRLF
{"field1":2,"field2":3,"field3":"smth"} CRLF
{"field1":3,"field2":4,"field3":"smth"}

Anyone have an idea about this problem?

amiftah · ‎06-25-2018

Can you show your sourcetype in props.conf ?

nanapark · ‎06-26-2018

Unfortunately, I do not have access to the props.conf
We found that special characters are making trouble for the HEC such as: double quotes “ or é or è ...
Is there any solution to let the HEC accept those characters?

nanapark · ‎06-26-2018

I don't know if this can help. In indexed data I found this : sourcetype = _json

amiftah · ‎06-26-2018

Which Splunk version are you using?

nanapark · ‎06-27-2018

we are using splunk 6.5.3

HTTP Event Collector do not completly index data

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio