It seems you’ve answered your own question – namely, the JSO blob you’re trying to POST is too big for the HEC to handle
Split it into smaller chunks instead of trying to batch it all at once
from User warren – Stack Overflow https://stackoverflow.com/questions/73158177/10k-curl-post-request-to-splunk/73208072#73208072
via IFTTT