Set and use default field values in DSP HEC
If events do not contain a value in the time
, source
, sourcetype
, and index
fields, then default values are used.
Use the time an event is received to set the default time field values
If an event does not contain a value in the time
field, the time in UTC that the event is received is used.
The following example demonstrates how the time field is set if the event does not contain a value in the time
field.
curl -k "https://<DSP_HOST>:31000/services/collector/event" \ -H "Authorization: Splunk <dsphec-token>" \ -d { "event": "Hello, world!" }
This will ingest an event with the time
field set to the time the event was received.
{ "event": "Hello, world!", "time": <received_time_utc> }
Use query parameters to set default field values
Default values for the source
, sourcetype
, and index
fields can be set by the client in each request. If the records in the request don't contain a source
, sourcetype
, and index
field, the default value will be used.
The following example demonstrates a Splunk HEC API request with a specific sourcetype set in the request body.
curl -k "https://<DSP_HOST>:31000/services/collector/event?source=curl&index=default&sourcetype=http" \ -H "Authorization: Splunk <dsphec-token>" \ -d { "sourcetype": "sourcetype_name", "event": "Hello, world!" }
This example will ingest an event with the sourcetype
field set to the value specified in the request.
{ "source": "curl", "sourcetype": "sourcetype_name", "index": "default", "event": "Hello, world!", "time": <received_time_utc> }
Use the metadata associated with the DSP HEC token to set default field values
Default values for the source
, sourcetype
, and index
fields can be set in the DSP HEC token. If the records in the request don't contain a source
, sourcetype
, and index
field, and a default field value has not been set as a query parameter in the request, then the default value from the token is used.
The following example demonstrates how to use the Ingest REST API to create a token with a default value for the sourcetype
field.
curl -X POST "https://<DSP_HOST>:31000/default/ingest/v1beta2/collector/tokens" \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{ "name": "<token_name>", "sourcetype": "sourcetype_name" }'
The following example demonstrates how to use this DSP HEC token in the Splunk HEC API to POST an event without a sourcetype
field specified.
curl -k "https://<DSP_HOST>:31000/services/collector/event?source=curl&index=default" \ -H "Authorization: Splunk <dsphec-token>" \ -d { "event": "Hello, world!" }
This will ingest an event with the sourcetype
field set to the value specified in the DSP HEC token.
{ "source": "curl", "sourcetype": "sourcetype_name", "index": "default", "event": "Hello, world!", "time": <received_time_utc> }
Use the Splunk HEC API to send events and metrics to a DSP pipeline | Send Syslog events to a DSP data pipeline using SC4S with DSP HEC |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0
Feedback submitted, thanks!