How data flows to the HEC?
Let's begin by looking at how data flows to the HEC. This is a multi-step process that is important to understand before we go deeper.
Logging in data
First, data needs to be logged in, but before that it needs to be packaged from the source, which can be done in a number of different ways. These are listed as follows:
- A Splunk logging library, such as Splunk logging for Java or Splunk logging for .NET
- Another agent, such as a JavaScript request library
- The Java Apache HTTP client
- And lastly, some other client, as long as it will appropriately package the event data in JSON format
Before going further, let's review what the JSON format means. A couple of examples of key-value pairs in JSON format are shown here. The key is listed first, then a colon, then the value of that key. Sequences of key-value pairs must be separated by commas:
"time": 1636289537, "index": "main",
Using a token with data
Second, the system needs...