<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Sending input data over HTTP in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Sending-input-data-over-HTTP/m-p/73285#M15025</link>
    <description>&lt;P&gt;@justjosh, Yes, you can send raw event on the wire directly to a TCP. They should be in best practice format, but it should handle them just fine.  In your props you will have to define how to turn the stream into an event. Like MarioM mention earlier there are to REST endpoint call recievers/simple and receivers/stream.&lt;/P&gt;

&lt;P&gt;&lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTinput#receivers.2Fstream"&gt;http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTinput#receivers.2Fstream&lt;/A&gt;&lt;BR /&gt;
&lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTinput#receivers.2Fsimple"&gt;http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTinput#receivers.2Fsimple&lt;/A&gt;&lt;BR /&gt;
&lt;A href="http://dev.splunk.com/view/logging-best-practices/SP-CAAADP6"&gt;http://dev.splunk.com/view/logging-best-practices/SP-CAAADP6&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;Hope this helps.&lt;/P&gt;</description>
    <pubDate>Thu, 27 Sep 2012 17:18:25 GMT</pubDate>
    <dc:creator>bmacias84</dc:creator>
    <dc:date>2012-09-27T17:18:25Z</dc:date>
    <item>
      <title>Sending input data over HTTP</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Sending-input-data-over-HTTP/m-p/73283#M15023</link>
      <description>&lt;P&gt;Does Splunk support receiving a continual stream of input via an HTTP POST?&lt;/P&gt;

&lt;P&gt;The reason I ask is the web server logs I want to index in Splunk is not accessible from the Splunk Server. I already have a tool which can relay server log events over HTTP so I think this could work.&lt;/P&gt;</description>
      <pubDate>Thu, 27 Sep 2012 15:58:17 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Sending-input-data-over-HTTP/m-p/73283#M15023</guid>
      <dc:creator>justjosh</dc:creator>
      <dc:date>2012-09-27T15:58:17Z</dc:date>
    </item>
    <item>
      <title>Re: Sending input data over HTTP</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Sending-input-data-over-HTTP/m-p/73284#M15024</link>
      <description>&lt;P&gt;you can pass the data directly via the Splunk Rest API:&lt;/P&gt;

&lt;P&gt;&lt;A href="http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT"&gt;Splunk Rest API&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 27 Sep 2012 16:12:15 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Sending-input-data-over-HTTP/m-p/73284#M15024</guid>
      <dc:creator>MarioM</dc:creator>
      <dc:date>2012-09-27T16:12:15Z</dc:date>
    </item>
    <item>
      <title>Re: Sending input data over HTTP</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Sending-input-data-over-HTTP/m-p/73285#M15025</link>
      <description>&lt;P&gt;@justjosh, Yes, you can send raw event on the wire directly to a TCP. They should be in best practice format, but it should handle them just fine.  In your props you will have to define how to turn the stream into an event. Like MarioM mention earlier there are to REST endpoint call recievers/simple and receivers/stream.&lt;/P&gt;

&lt;P&gt;&lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTinput#receivers.2Fstream"&gt;http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTinput#receivers.2Fstream&lt;/A&gt;&lt;BR /&gt;
&lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTinput#receivers.2Fsimple"&gt;http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTinput#receivers.2Fsimple&lt;/A&gt;&lt;BR /&gt;
&lt;A href="http://dev.splunk.com/view/logging-best-practices/SP-CAAADP6"&gt;http://dev.splunk.com/view/logging-best-practices/SP-CAAADP6&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;Hope this helps.&lt;/P&gt;</description>
      <pubDate>Thu, 27 Sep 2012 17:18:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Sending-input-data-over-HTTP/m-p/73285#M15025</guid>
      <dc:creator>bmacias84</dc:creator>
      <dc:date>2012-09-27T17:18:25Z</dc:date>
    </item>
    <item>
      <title>Re: Sending input data over HTTP</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Sending-input-data-over-HTTP/m-p/73286#M15026</link>
      <description>&lt;P&gt;Yes. Refer to HTTP Event Collector newly introduced with Splunk 6.3&lt;BR /&gt;
&lt;A href="http://dev.splunk.com/view/event-collector/SP-CAAAE6M"&gt;http://dev.splunk.com/view/event-collector/SP-CAAAE6M&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 22 Oct 2015 18:41:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Sending-input-data-over-HTTP/m-p/73286#M15026</guid>
      <dc:creator>rarsan_splunk</dc:creator>
      <dc:date>2015-10-22T18:41:25Z</dc:date>
    </item>
    <item>
      <title>Re: Sending input data over HTTP</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Sending-input-data-over-HTTP/m-p/73287#M15027</link>
      <description>&lt;P&gt;Re:&lt;/P&gt;

&lt;BLOCKQUOTE&gt;
&lt;P&gt;Does Splunk support receiving a continual stream of input via an HTTP POST?&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;

&lt;P&gt;No.&lt;/P&gt;

&lt;P&gt;Not a continual (&lt;EM&gt;endless&lt;/EM&gt;) stream.&lt;/P&gt;

&lt;P&gt;You can "batch" (send multiple) events in a single HTTP POST, but there is a maximum limit to the size of an HTTP request.&lt;/P&gt;

&lt;P&gt;The limit is set by &lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/limitsconf#.5Bhttp_input.5D" target="_blank"&gt;max_content_length&lt;/A&gt; in &lt;CODE&gt;limits.conf&lt;/CODE&gt;. The default value, as of Splunk 6.4, is 1000000 bytes (~ 1 MB).&lt;/P&gt;

&lt;P&gt;Exceeding that limit results in the HTTP response error code 413 (request entity too large).&lt;/P&gt;

&lt;P&gt;The Splunk documentation that describes batching events (such as "&lt;A href="http://dev.splunk.com/view/SP-CAAAE6P" target="_blank"&gt;About the JSON event protocol in HTTP Event Collector&lt;/A&gt;") does not mention this limit (at least, I can't find any such mention). I think it should.&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 09:37:39 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Sending-input-data-over-HTTP/m-p/73287#M15027</guid>
      <dc:creator>Graham_Hanningt</dc:creator>
      <dc:date>2020-09-29T09:37:39Z</dc:date>
    </item>
  </channel>
</rss>

