throws errors {"text":"Event field cannot be blank","code":13,"invalid-event-number":28}

[znorm]

This doesn't always happen, but it happens continuously sometimes with not explanation of what it means, and what we can do about it.

Eg logs
2017-09-02 16:16:19 +0000 [error]: #0 https://<splunk-server>/services/collector: 400 (Bad Request) {"text":"Event field cannot be blank","code":13,"invalid-event-number":31}

[Jitsusama]

@znorm; I would recommend configuring your plugin for HTTP access to Splunk and running a packet capture in order to trace this down. My guess is that the event field passed to Splunk is empty, which is probably caused by a log record containing a blank message value.

[sharmmoh1983]

Please help me in debugging the interaction with HEC as I cant see any logs for the same

[manuel220x]

I have seen that error when you try to push an entry which is empty. To avoid the error I added a filter on fluentd to exclude empty entries as a first rule.

[dancb10]

@manuel220x how did you added that entry?

[manuel220x]

@dancb10 I don't have access to that code anymore, but if I remember correctly it was something like this:

<filter tag>
  @type grep
  <exclude>
    key message
    pattern ^$
  </exclude>
</filter>