Using the services/collector endpoint in Edge Processors

Use the services/collector endpoint to send events in JSON format.

The Edge Processor treats each top-level JSON object as a distinct event, so you don't need to configure any additional event breaking behavior in the Edge Processor. Additionally, if the JSON object contains the following keys, the Edge Processor extracts them into event fields: fields, host, index, source, sourcetype, and time. For more information about these keys, see Event metadata in the Splunk Cloud Platform Getting Data In manual. If there are other data values that you want to extract into event fields, you'll need to configure field extractions in an Edge Processor pipeline or in the Splunk platform. For more information, refer to the resources listed in the See also section.

The following is an example of a request to the services/collector endpoint:

curl "http://buttercupgames.com:8088/services/collector" -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" \
-d '{"event": "Hello, world!", "sourcetype": "manual", "host": "host_1.splunk.com"}{"event": "something happened", "sourcetype": "manual", "host": "host_1.splunk.com", "fields":{"severity":"INFO", "category":["foo","bar"]}}'

This request contains 2 top-level JSON objects, so the Edge Processor ingests the request as 2 separate events. You do not need to configure any additional event breaking in the Edge Processor.

The first event contains these 3 fields:

The second event contains these 5 fields:

Using the services/collector/raw endpoint in Edge Processors

Use the services/collector/raw endpoint to send raw data that requires event breaking or data that does not match the event format supported by the services/collector endpoint.

The Edge Processor treats the data payload of the HTTP request as the body of a single event. If it contains multiple events, you must configure an appropriate source type in the Edge Processor service so that the Edge Processor can break the raw data into distinct events.

If the HTTP request includes the following query string parameters, the Edge Processor extracts them into event fields: host, index, source, sourcetype, and time. For more information about these parameters, see services/collector/raw in the Splunk Enterprise REST API Reference Manual. If there are other data values that you want to extract into event fields, you'll need to configure field extractions in an Edge Processor pipeline or in the Splunk platform. For more information, refer to the resources listed in the See also section.

The following is an example of a request to the services/collector/raw endpoint:

curl "http://buttercupgames.com:8088/services/collector/raw?sourcetype=manual&host=host_1.splunk.com" -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" \
-d 'Hello, world!
something happened'

Without event breaking configurations, the Edge Processor would ingest the request as a single event where the _raw field contains Hello, world! something happened.

To correctly break the raw data into 2 events, you must configure a source type in the Edge Processor service that treats newline characters as the delimiter between distinct events. Use these settings in the source type definition:

• Name: manual
• Line breaking: ([\r\n]+)

With this event breaking configuration, the Edge Processor ingests the request as 2 separate events.

The first event contains these 3 fields:

The second event contains these 3 fields: