Splunk® Data Stream Processor

Getting Data In

On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.

Set and use default field values in DSP HEC

If events do not contain a value in the time, source, sourcetype, and index fields, then default values are used.

Use the time an event is received to set the default time field values

If an event does not contain a value in the time field, the time in UTC that the event is received is used.

The following example demonstrates how the time field is set if the event does not contain a value in the time field.

curl -k "https://<DSP_HOST>:31000/services/collector/event" \
    -H "Authorization: Splunk <dsphec-token>" \
    -d {
         "event": "Hello, world!"
       } 

This will ingest an event with the time field set to the time the event was received.

 { 
         "event": "Hello, world!",
         "time": <received_time_utc>
} 

Use query parameters to set default field values

Default values for the source, sourcetype, and index fields can be set by the client in each request. If the records in the request don't contain a source, sourcetype, and index field, the default value will be used.

The following example demonstrates a Splunk HEC API request with a specific sourcetype set in the request body.

curl -k "https://<DSP_HOST>:31000/services/collector/event?source=curl&index=default&sourcetype=http" \
    -H "Authorization: Splunk <dsphec-token>" \
    -d {
         "sourcetype": "sourcetype_name", 
         "event": "Hello, world!"
       } 

This example will ingest an event with the sourcetype field set to the value specified in the request.

 {
         "source": "curl",
         "sourcetype": "sourcetype_name",
         "index": "default", 
         "event": "Hello, world!",
         "time": <received_time_utc>
} 

Use the metadata associated with the DSP HEC token to set default field values

Default values for the source, sourcetype, and index fields can be set in the DSP HEC token. If the records in the request don't contain a source, sourcetype, and index field, and a default field value has not been set as a query parameter in the request, then the default value from the token is used.

The following example demonstrates how to use the Ingest REST API to create a token with a default value for the sourcetype field.

curl -X POST "https://<DSP_HOST>:31000/default/ingest/v1beta2/collector/tokens" \
    -H "Authorization: Bearer <token>" \
    -H "Content-Type: application/json" \
    -d '{
          "name": "<token_name>",
          "sourcetype": "sourcetype_name"
         }'

The following example demonstrates how to use this DSP HEC token in the Splunk HEC API to POST an event without a sourcetype field specified.

curl -k "https://<DSP_HOST>:31000/services/collector/event?source=curl&index=default" \
    -H "Authorization: Splunk <dsphec-token>" \
    -d {
         "event": "Hello, world!"
       }

This will ingest an event with the sourcetype field set to the value specified in the DSP HEC token.

 {
         "source": "curl",
         "sourcetype": "sourcetype_name",
         "index": "default", 
         "event": "Hello, world!",
         "time": <received_time_utc>
}
Last modified on 23 October, 2020
Use the Splunk HEC API to send events and metrics to a DSP pipeline   Send Syslog events to a DSP data pipeline using SC4S with DSP HEC

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters