topic Re: Can I call REST Endpoint of Universal Forwarder to pass log data from code? in Getting Data In

Can I call REST Endpoint of Universal Forwarder to pass log data from code?

Splunk_Shinobi — Wed, 05 Jun 2013 05:46:35 GMT

Can I call REST Endpoint of Universal Forwarder to pass log data from code?
* not creating new monitor configuration

I am currently using storm to push the data using API call from code.
I am looking for any information how I can do this using universal
forwarder to pass the data to my distributed indexer environment.

Thanks,

Re: Can I call REST Endpoint of Universal Forwarder to pass log data from code?

melonman — Wed, 05 Jun 2013 07:02:20 GMT

I did Simple test, and found that if you don't have index definition in UF, the rest call will return error, but if you do, it will eat the data.

I am not sure if this is supported or not..

My environment looks like : SH/INDEXER:9997 <- UniversalForwarder:8089

and used this call:

curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"

In case without indexes.conf in your UF, the curl command returns:

$ curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="WARN">supplied index missing or disabled</msg>
  </messages>
</response>

if you have this entry in indexes.conf in UF,

$ cat indexes.conf 
[main]
[myindex]

then, the call went OK.

$ curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <results>
    <result>
      <field k="_index">
        <value>
          <text>myindex</text>
        </value>
      </field>
      <field k="bytes">
        <value>
          <text>19</text>
        </value>
      </field>
      <field k="host">
        <value>
          <text>127.0.0.1</text>
        </value>
      </field>
      <field k="source">
        <value>
          <text>www</text>
        </value>
      </field>
      <field k="sourcetype">
        <value>
          <text>test</text>
        </value>
      </field>
    </result>
  </results>
</response>
$

Re: Can I call REST Endpoint of Universal Forwarder to pass log data from code?

melonman — Thu, 06 Jun 2013 13:11:30 GMT

If you want to send to an index that doesn't exist locally, pass "check-index=false" as a GET parameter to the call.

Re: Can I call REST Endpoint of Universal Forwarder to pass log data from code?

dominiquevocat — Fri, 25 Aug 2017 20:55:16 GMT

maybe this is of some use? https://splunkbase.splunk.com/app/2775/ (soon to be updated in time for .conf 2017 🙂 )