We have updated our Terms of Service, Code of Conduct, and Addendum.

Where is the equivalent setting to Splunk's Source type > Select Source Type > Structured > _json

bigger that
bigger that Posts: 1
in Stream

Hi,

I'm trying to setup a Splunk HEC within Cribl Stream, and I'm encountering the error "malformed HEC event." I've encountered that error when setting up HECs in Splunk, and to correct the problem I have to go to Source type > Select Source Type > Structured > _json when editing the HEC's settings. I've been looking and reading search results, but so far I haven't found the equivalent setting in Cribl Stream. Where can I find that setting for the HEC please?

0-1678911568014.png

Tagged:

Answers

  • Jon Rust
    Jon Rust Posts: 443 mod
    edited September 11

    There isn't a setting for that in Stream. You can either send to the collector/event endpoint, or the collcetor/_raw endpoint. The collector/event endpoint expects a JSON event. Can you share what the payload you're testing with looks like?

    A typical sample:

    {
  "index": "someindex", 
  "sourcetype": "some_st",
  "source": "some_path",
  "event": "your event data here, whether json or plain ol text"
}

Categories