topic Re: Please help: I want to send data into Splunk Enterprise using API and I want to use Splunk HTTP Event collector in Getting Data In

Please help: I want to send data into Splunk Enterprise using API and I want to use Splunk HTTP Event collector

jjoshi6 — Sun, 01 Nov 2020 06:36:48 GMT

Hello Folks,

I have data in JSON format (data.json). I want to visualize the data by creating a dashboard in Splunk Enterprise. Due to my company structure, I can only use the HTTP event collector (HEC) to send data to Splunk Enterprise. Can anyone please help me with the python based script if you have any template where I have to just enter the token key and URL to make it happen. Please help me as I need it on a quicker basis as it is super important for my project.

Thank you.

Re: Please help: I want to send data into Splunk Enterprise using API and I want to use Splunk HTTP Event collector

isoutamo — Sun, 01 Nov 2020 09:48:38 GMT

Hi
This seem so be reasonable example. https://github.com/jyung-hk/hec
You could find lot of other examples from net with google, if this is not suitable for you.
r. Ismo

Re: Please help: I want to send data into Splunk Enterprise using API and I want to use Splunk HTTP Event collector

inventsekar — Sun, 01 Nov 2020 13:03:31 GMT

Hi @jjoshi6 ... hope you checked the github code and doing fine on your project work.

i assume you are new to Splunk. maybe i would like to suggest you...

1. play with a basic HEC data ingestion. once data from client reaches indexer, try to run SPL searches, try to create a basic dashboard on the HEC ingested data.

2. when you feel comfortable, then, as per your requirement, create some basic python template for HEC data onboarding.

3. when you are in doubt, reply us your current position in detail, then, someone can help on your task.

4. For JSON format data, while searching, remember the command "spath"(field extraction on xml, json logs)(you dont need to write regular expressions for field extraction).

~ Happy Splunking | Best Regards | Sekar | PS - Karma points appreciated!

Re: Please help: I want to send data into Splunk Enterprise using API and I want to use Splunk HTTP Event collector

jjoshi6 — Fri, 06 Nov 2020 01:41:34 GMT

@inventsekar

Re: Please help: I want to send data into Splunk Enterprise using API and I want to use Splunk HTTP Event collector

inventsekar — Fri, 06 Nov 2020 01:50:56 GMT

Hi @jjoshi6 .. you seems to be newbie to both python and splunk.. so its a big task i would say to a newbie.

so, lets do this step by step...

1. have you configured data ingestion from a UF to indexer?

2. have you configured some "scripted inputs" from a UF to indexer?

3. have you configured a basic HEC data input to indexer..

once you done these you will feel more comfortable and then you can check the github page which @richgalloway (on the other post)and @isoutamo given. hope its clear, all the best to your splunk and python journey!

As a new member, you may not know about karma points,.. karma points will show your appreciation. thanks!

Re: Please help: I want to send data into Splunk Enterprise using API and I want to use Splunk HTTP Event collector

jjoshi6 — Fri, 06 Nov 2020 02:00:05 GMT

@inventsekar

For all these three questions. I would say NO because I tried to send pseudo using CURL and it worked.

Re: Please help: I want to send data into Splunk Enterprise using API and I want to use Splunk HTTP Event collector

inventsekar — Fri, 06 Nov 2020 02:02:32 GMT

ok sure, have you tried the "scripted input" method of "getting data in"

https://docs.splunk.com/Documentation/Splunk/8.1.0/AdvancedDev/ScriptedInputsIntro

Re: Please help: I want to send data into Splunk Enterprise using API and I want to use Splunk HTTP Event collector

jjoshi6 — Fri, 06 Nov 2020 02:13:47 GMT

The permissions that I have for accessing splunk in my company does not allow me to Add Data. That's why I requested you to help me in writing Python Script.

@inventsekar