This message originated from Cribl Community Slack.
Click here to view the original link.
Is they any way to capture a full Splunk HEC payload coming into the Splunk HEC source before it breaks out the event into _raw? I have a source sending into /services/collector/event so I know event in the JSON is what gets stored as _raw. I would like to see the rest of the JSON outside of the event field when the data is sent. It is a cloud based source so I cannot check on that end. Is this possible?
Solved
Splunk HEC Unable To Capture Full Payload Before Event Breakout
+1Best answer by Jon Rust
Not with the HEC source.
You could either temporarily set-up a raw TCP input and capture the payload, or use something like nc on the CLI to capture
Not with the HEC source.
You could either temporarily set-up a raw TCP input and capture the payload, or use something like nc on the CLI to capture
+1cool thanks!
Sign up
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.