Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to upload a .csv file onto a Splunk remote server using Python?

vkannampuzha
Explorer
‎08-18-2019 09:06 PM

Hi all,

I am trying to upload a .csv file onto a remote Splunk server through the use of a Python script and I am having a bit of difficulty in getting this to run. The methods I have tried are:

Method 1: Creating a service and then connecting to the server 

 """Connect to splunk local"""

     import splunklib.client as client
     import splunklib.results as results
     from splunklib.binding import AuthenticationError

     HOST=hostname
     PORT = '8089'
     USERNAME = 'username'
     PASSWORD = 'password'
     try:
         service = client.connect(host=HOST, port=PORT, username=USERNAME, password=PASSWORD)
     except exception as e:
         print(str(e))

The issue with this was that it never seemed to connect. Please note that the host was not a local host but rather a remote Splunk server.

Method 2: Using the HTTP Event Collector

Whilst the HTTP event collector worked well in sending the data through line by line, however, the data needs to be in csv format, not JSON, which it is converted to.

Any thoughts and suggestions on how to proceed would be much helpful! Would prefer to be python based solution rather than setting up a file monitor on Splunk

Cheers,

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

starcher
Influencer
‎08-19-2019 06:16 AM

If you mean csv lookup ,csv lookups are not part of the REST API. You'd need to use KVStore. if this is data why does it need to be csv? JSON with HEC is substantially simpler. If it absolutely must be csv data vs a lookup you can always use RAW mode with HEC.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

starcher
Influencer
‎08-19-2019 06:16 AM

If you mean csv lookup ,csv lookups are not part of the REST API. You'd need to use KVStore. if this is data why does it need to be csv? JSON with HEC is substantially simpler. If it absolutely must be csv data vs a lookup you can always use RAW mode with HEC.

0 Karma
Reply
Solved! Jump to solution

starcher
Influencer
‎08-19-2019 06:20 AM

https://github.com/georgestarcher/Splunk-Class-httpevent

0 Karma
Reply
Solved! Jump to solution

vkannampuzha
Explorer
‎08-19-2019 07:32 PM

I do agree with JSON being much simpler with HEC, however, the data is being used for pre-existing models that require the format to be csv. I just tried the RAW mode and that seems to be much better. Is there any way for Splunk to recognise fields then with this method?

Thanks very much for your help!

0 Karma
Reply
Solved! Jump to solution

starcher
Influencer
‎08-20-2019 06:04 AM

Read the docs on getting data into Splunk. Setup your sourcetype. setup it's parsing etc.

https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Getstartedwithgettingdatain

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...