topic Re: Python splunk submit event doesnt work correctly, event not found in splunk in Splunk Dev

Python splunk submit event doesnt work correctly, event not found in splunk

kairat — Mon, 09 Jul 2018 05:48:39 GMT

When I try to add event string like = "37.31.31.31 - - [13/Dec/2015:23:08:40 +0100] ""POST /administrator/index.php HTTP/1.1"" 200 4494 ""http://almhuette-raith.at/administrator/"" ""Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"" ""-"""

It ignores it, not throwing any errors.

When I send events like "HELLO", "THIS IS TEST" it works.

The code sample is here:

import splunklib.client as client
service = client.connect(
                        host=HOST,
                        port=PORT,
                        username=USERNAME,
                        password=PASSWORD)

myindex = service.indexes["main"]
myindex.submit(STRING, sourcetype="access_combined.log", host="local")

Version 2
with myindex.attached_socket(sourcetype='access_combined.log') as sock:
    sock.send(str.encode(STRING))

Re: Python splunk submit event doesnt work correctly, event not found in splunk

kairat — Tue, 10 Jul 2018 03:58:13 GMT

I want to send an event using python-sdk.

Event's content "145.255.2.146 - - [2015-12-12:23:08:40 +0100] ""GET /administrator/ HTTP/1.1"" 200 4263 ""-"" ""Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"" ""-"""

If we remove colons event will be sent, please, help me.

The code below doesn't show any mistake, neither add an event to splunk

import splunklib.client as client

service = client.connect(
                        host=HOST,
                        port=PORT,
                        username=USERNAME,
                        password=PASSWORD)
myindex = service.indexes["main"]
mysocket = myindex.attach(sourcetype='access_combined.log',host='local')
mysocket.send(str.encode('"145.255.2.146 - - [2015-12-12 +0100] ""GET /administrator/ HTTP/1.1"" 200 4263 ""-"" ""Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"" ""-"""'))
mysocket.close()

Re: Python splunk submit event doesnt work correctly, event not found in splunk

poete — Tue, 10 Jul 2018 06:11:14 GMT

Hello @kairat
,
did you try to escape the colons? I mean did you try to replace " with \" ?

Re: Python splunk submit event doesnt work correctly, event not found in splunk

kairat — Wed, 11 Jul 2018 04:26:42 GMT

It's OK with double quotes, the problem is about : When I removed colons(:), as in the comment provided with code, it works. I don't know why it's so.

Re: Python splunk submit event doesnt work correctly, event not found in splunk

starcher — Thu, 12 Jul 2018 15:44:50 GMT

You are also better off sending data via HEC rather than directly via the API like this. Since you are in python already you can use a HEC class like https://github.com/georgestarcher/Splunk-Class-httpevent

Re: Python splunk submit event doesnt work correctly, event not found in splunk

kairat — Tue, 29 Sep 2020 20:27:10 GMT

Thanks for your answer, the problem is in ":" colons in event, it still doesn't work with the code your provided on github. I wonder if you can try it, in my case it ignores

"145.255.2.146 - - [2015-12-12*:22:21:00* +0100] ""GET /administrator/ HTTP/1.1"" 200 4263 ""-"" ""Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"" ""-"""

PS: If I remove colons ":" it works as in using socket, and your code.

Re: Python splunk submit event doesnt work correctly, event not found in splunk

poete — Tue, 17 Jul 2018 06:50:45 GMT

Hello @kairat,
I am confused. In the head of the post, you stated that with that code, you could not get the event added to Splunk, and now you say it works.
Anyway, the colons you removed changed the format of the date of the event, and the result format seems quite strange.
Can you please share the way you extract the date/time info for the sourcetype?