Splunk ignores events with many colon inside, how ...

kairat · ‎07-09-2018

I want to send an event using python-sdk.

Event's content "145.255.2.146 - - [2015-12-12:23:08:40 +0100] ""GET /administrator/ HTTP/1.1"" 200 4263 ""-"" ""Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"" ""-"""

If we remove colons event will be sent, please, help me.

The code below doesn't show any mistake, neither add an event to splunk

import splunklib.client as client

service = client.connect(
                        host=HOST,
                        port=PORT,
                        username=USERNAME,
                        password=PASSWORD)
myindex = service.indexes["main"]
mysocket = myindex.attach(sourcetype='access_combined.log',host='local')
mysocket.send(str.encode('"145.255.2.146 - - [2015-12-12:23:08:40 +0100] ""GET /administrator/ HTTP/1.1"" 200 4263 ""-"" ""Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"" ""-"""'))
mysocket.close()

FrankVl · ‎07-10-2018

Not familiar with this python stuff, so i'll leave that to others to comment on, but I think you mean quote, not colon? At least: I don't see any colons : in your event 🙂

kairat · ‎07-10-2018

The code I provided works, but if I add :, it doesnt send event. I can replace colons, but I wonder why It doesn't work.

Splunk can read events with colons, so that's weird.

kairat · ‎07-10-2018

Colons, I forgot to add it in the event 😞 The original is like
"37.31.31.31 - - [13/Dec/2015:23:08:40 +0100] ""POST /administrator/index.php HTTP/1.1"" 200 4494 ""

Splunk ignores events with many colon inside, how to fix it?

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann

Admin Your Splunk Cloud, Your Way