topic Re: HTTP event collector basic questions in Splunk Enterprise

HTTP event collector basic questions

jip31 — Tue, 24 Oct 2023 04:44:59 GMT

In the example below, I clearly understand that the "hello world" will be updated in a Splunk event

{ "time": 1426279439, // epoch time "host": "localhost", "source": "random-data-generator", "sourcetype": "my_sample_data", "index": "main", "event": "Hello world!" } curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":"hello world"}'

Now imagine that my json file contains many items like below

{ "time": 1426279439, // epoch time "host": "localhost", "source": "random-data-generator", "sourcetype": "my_sample_data", "index": "main", "event": "Hello world!" } { "time": 1426279538, // epoch time "host": "localhost", "source": "random-data-generator", "sourcetype": "my_sample_data", "index": "main", "event": "Hello eveybody!" }

Is the curl command to use should be like this?

curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":}'

Last question : instead using a prompt command to send the json logs in Splunk, is it possible to use a json script to do that? Or something else

Is anybody has good examples of that?

thanks

Re: HTTP event collector basic questions

bowesmana — Tue, 24 Oct 2023 08:25:06 GMT

Not sure I understand your examples, as you indicate the data is in a file, but you are not sending that file, only the data following the -d curl option. To send a file, you use -d @filename

Re: HTTP event collector basic questions

PickleRick — Tue, 24 Oct 2023 13:45:05 GMT

Also remember that json does not support comments.

Re: HTTP event collector basic questions

jip31 — Tue, 24 Oct 2023 14:15:53 GMT

not sure you understood my question

the curl command below create an event with "hello world"

curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":"hello world"}'

imagine that in my json file I have many items with a different event name

for example "hello world", "hello world1", "hello world2".....

is the good curl command to apply is like this?

curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":}'

what i mean is that if i dont mention the name of the event, 3 events will be created in splunk with "hello world", "hello world1", "hello world2"?

Re: HTTP event collector basic questions

PickleRick — Tue, 24 Oct 2023 14:22:32 GMT

No.

As @bowesmana already told you - the -d "something" option sends the data you specify on the command line. If you want the data to be read from the file you have to specify it as the source for the POST data with the -d @filename option. And there is no "templating" you just specify raw data to be posted. So it will not work like "get a part of the data from the command line and iterate some file's contents over it".

No - if you want something like that, you have to implement it manually (bash scripting, python, PowerShell, whatever).