topic Re: How to over ride sourcetype using curl command for Http event collector? in Getting Data In

How to over ride sourcetype using curl command for Http event collector?

mprreddy51 — Mon, 28 Mar 2016 15:54:44 GMT

Hi,

I configured Http Event collector(EC) in my local through GUI (generated token,created index and source type) and in the backend splunk_httpinput app local got created with inputs.conf.

[http://test]
disabled = 0
index = testindex
indexes = testindex
source = testtt
sourcetype = testst
token = 8111111111111*********

and from command prompt if I run the below curl command

C:\Program Files\cURL>curl -k http://localhost:8088/services/collector/event -H "Authorization: Splunk 8111111111111*********" -d "{\"event\":\"Breakfast Order\"} {\"event\":{\"coffee\":\"double cream double sugar\",\"muffin\":\"blueberry\",\"juice\":\"none\"}}" I can see the events in searchhead.

My question is how to override the sourcetype and index. through curl commands?

Re: How to over ride sourcetype using curl command for Http event collector?

martin_mueller — Mon, 28 Mar 2016 16:53:57 GMT

According to http://dev.splunk.com/view/event-collector/SP-CAAAE6P you can set special keys in your JSON next to the event to set metadata.

Re: How to over ride sourcetype using curl command for Http event collector?

mprreddy51 — Mon, 28 Mar 2016 17:30:30 GMT

Hi Martin,

Thanks for you reply.

My question is how to override or set source,sourcetype through curl.Can you give me an example curl command to set or override.

Re: How to over ride sourcetype using curl command for Http event collector?

martin_mueller — Mon, 28 Mar 2016 18:46:14 GMT

Here's a quote from that page:

Examples

Following are several examples of HTTP Event Collector data packets:

{
    "time": 1426279439, // epoch time
    "host": "localhost",
    "source": "datasource",
    "sourcetype": "txt",
    "index": "main",
    "event": { "hello": "world" }
}

In your question you've only set the event property.

Re: How to over ride sourcetype using curl command for Http event collector?

mprreddy51 — Tue, 29 Mar 2016 16:12:34 GMT

Hi Martin,

I tried below 2 command in my local windows it is not getting executed.

1)curl -k http://localhost:8088/services/collector/event -H "Authorization: Splunk D87D-F645-**D-A7E4-EA*AD8FC6" -d "{\"event\":\"Breakfast Order\"}{"time": 1426279439,"host": "localhost","source": "datasource","sourcetype": "hello","index": "abc","event": { "hello": "world" }"

2) curl -k -H "Authorization: Splunk D87D-F645-**D-A7E4-EA*AD8FC6" https://localhost:8088/services/collector/event -d '{"event":"hello world"}{"sourcetype": "hello","index": "abc"}'

Can you please correct the query if i am wrong .Thanks for your help.

Re: How to over ride sourcetype using curl command for Http event collector?

martin_mueller — Tue, 29 Mar 2016 19:27:32 GMT

Both your payloads aren't one JSON object. It should be something like ... -d '{"event":"hello world", "sourcetype": "hello", "index": "abc"}'.

Re: How to over ride sourcetype using curl command for Http event collector?

mprreddy51 — Tue, 29 Mar 2016 20:30:33 GMT

Hi Miller,

Now it is working.I tried like this in windows.

curl -k http://localhost:8088/services/collector/event -H "Authorization: Splunk D87*D-F645-D-A7E4-EAAD8FC6" -d "{\"time\": 1437522387,\"host\": \"localhost1\",\"source\": \"testapp1\",\"sourcetype\":\"testapp1\",\"index\":\"testindexxxxxx\",\"event\": {\"message\": \"Something happened1\",\"severity\": \"WARN\"}}"

Thanks.