I have some logging being sent into an HTTP Event Collector like this:
Endpoint: https://myeventcollector.com:8088/services/collector/event
Request Payload: { "sourcetype": "$filename", "fields": { "ip_address": "$ip_address", "file_path": "$log" }, "time": $timestamp, "event": $line }
According to this document fields, "Specifies a JSON object that contains explicit custom fields to be defined at index time. Requests containing the "fields" property must be sent to the /collector/event endpoint, or they will not be indexed".
http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/FormateventsforHTTPEventCollector
I am seeing the "ip_address" and "file_path" fields being correctly extracted, but am experiencing strange behavior when I try to filter them. If I specify ip_address="10.119.32.165" in the search, I get partial results from my search. However, when I specify ip_address::10.119.32.165 in the search, all events return.
I was able to find this similar question, but why does Splunk consider data from the "fields" argument of a HEC metadata when the documentation literally calls them fields? Also, I'm familiar with how a Splunk forwarder works and know that a deployment app uses '::' to specify metadata during indexing, but why can't I use = to search search metadata in the first place?
https://answers.splunk.com/answers/562832/add-to-search-returns-no-results.html
Just looking to understand what is happening here better, as this will be very confusing for my users.
Thank you,
Ryan
... View more