Hello,
I am trying to use Http Event Collector, but the events are not indexed when I use a custom sourcetype ( really similar to _json src type).
If I use **_json** src type or a src type that not exists at all, the events are correctly indexed ( strange!)
Curl command:
curl -k "http://localhost:8088/services/collector/raw?sourcetype=customjson" -H "Authorization:Splunk bbe739dc-5fc1-48b2-ac9b-33c7e3b98b2f" -d "@test.json"
Response of curl command: {"text":"Success","code":0}
Splunk side: Token created and set with correct index and src type. Global settings set with same index and src type.
Could you please help me to understand, why if I use a custom src_type the events are not indexed?
Thanks a lot!
↧