When you send data to the HTTP Event Collector (HEC) in Splunk without specifying a sourcetype, Splunk will use the default settings configured for the HEC token. Here’s what happens:

1. Default Behavior:

• If the sourcetype is not specified in the payload or HEC token configuration, Splunk will attempt to automatically assign a sourcetype based on the input type or will use a default generic sourcetype like hec_event.
• The default sourcetype is often "_json" if Splunk detects a JSON-formatted payload, which enables automatic JSON field extraction.

2. Automatic Parsing with _json Sourcetype:

• If your data is in JSON format and the sourcetype is not specified, Splunk assigns the sourcetype as "_json".
• When the sourcetype is "_json", Splunk automatically parses the JSON structure and extracts the key-value pairs as fields.

Example: Payload sent without sourcetype: json { "event": { "host": "test-server", "plugin": "cpu", "values": [25.5] } } Splunk will typically interpret this with sourcetype="_json" and extract fields like host, plugin, and values.

3. HEC Token Default Settings:

• The HEC token configuration may have a default sourcetype set. You can check or modify this by:
  • Navigating to Settings > Data Inputs > HTTP Event Collector in Splunk.
  • Click on the specific token you are using.
  • Review the Default Index and Default Sourcetype. If the sourcetype is not set, it may default to hec_event or "_json".

4. Indexing Without Parsing:

• If the data is not in JSON format and the sourcetype is not specified, Splunk may assign a generic sourcetype like hec_raw or hec_event and will not perform automatic parsing.
• In this case, the entire raw event is indexed as a single text field (_raw), and no additional fields are extracted unless you manually configure extractions using Field Extractions or Transforms.

Best Practice: Specify the sourcetype Explicitly

To ensure that the data is parsed correctly and fields are extracted as expected, it is a good practice to explicitly specify the sourcetype in the payload or configure it in the HEC token settings.

Example of Specifying sourcetype in Payload: json { "sourcetype": "collectd_json", "event": { "host": "test-server", "plugin": "cpu", "values": [25.5] } }

Troubleshooting Tips:

• Check the _internal index for HEC logs if the data does not appear as expected: spl index=_internal source=*splunkd.log* "HTTP Event Collector"
• If the events are not parsed, try searching with just index=* to locate unparsed raw events: spl index=* | head 10

This should help you understand where the data goes and how it is handled when the sourcetype is not explicitly defined. Let me know if you need more details or specific examples!