Hi, I'm investigating to use HEC raw mode to index some data. In my case I want to stream the data with multiple HTTP requests with a fixed channel ID, because the client never changed. My splunk server version is 6.4.3.
I'm using the bellow python code to test the HEC behavior, and result is the same as using cURL or postman.
#!/usr/bin/env python
import requests
import uuid
import time
data = "2017-01-01T12:00:00Z, a=b\n2017-01-01T12:00:01Z, b=c\n"
headers = {"Authorization" : "Splunk EB49F64A-6487-4F87-8EFF-3209CD22CC50"}
params = {"sourcetype":"pythontest", "source": "pythontest2"}
def sendInSession():
params.update({"channel": str(uuid.uuid4()).upper()})
r = requests.Request('POST', 'https://dbx.splunk.dev:8088/services/collector/raw', data=data, params=params, headers=headers)
with requests.Session() as s:
r_p = s.prepare_request(r)
print s.send(r_p, verify=False).content
time.sleep(3)
print s.send(r_p, verify=False).content
time.sleep(3)
I'm using session here to reuse the same connection, and two HTTP requests were made to splunkd. Looks like the data was correctly indexed for the first request, while the events of second request were not broken up correctly.
You can see the result here:
My question is:
Why the same data results different fields breaking result in splunk if using the same channel ID?
... View more