What is causing json messages to not always be ind...

dhuynh · ‎06-12-2023

Hi everyone,

For one of our client we are sending in json log data via log4j2 to the splunk cloud HEC token.

we are using the /event/collector/raw endpoint.

What I notice is that the fields are not extracted consistently. We do not see any pattern in our process so we cannot pinpoint the exact location of the issue.

I am using the following source type with its configs:

Hopefully can someone see what might cause this issue.

Thankyou in advanced.

Duy

nyc_jason · ‎06-12-2023

Hello dhuynh, there are a few possible reasons this could be happening. First, please check for payload character set issues (such as non UTF-8 characters, which can cause JSON to break. Also, check the splunk logs for errors. You can find HEC parsing errors in the _introspection index.

dhuynh · ‎06-13-2023

@nyc_jason thankyou for your fast reply.

when checking the _introspection index I dont see any parsing error. Everything gets parsed correctly. what is weird is that it happens randomly. so when I rerun the process again then the data might be parsed correctly.

What is causing json messages to not always be indexed?

HTTP Event Collector

JSON

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio