Getting Data In

Can I call REST Endpoint of Universal Forwarder to pass log data from code?

Splunk_Shinobi
Splunk Employee
Splunk Employee

Hi

Can I call REST Endpoint of Universal Forwarder to pass log data from code?
* not creating new monitor configuration

I am currently using storm to push the data using API call from code.
I am looking for any information how I can do this using universal
forwarder to pass the data to my distributed indexer environment.

Thanks,

0 Karma
1 Solution

melonman
Motivator

I did Simple test, and found that if you don't have index definition in UF, the rest call will return error, but if you do, it will eat the data.

I am not sure if this is supported or not..

My environment looks like : SH/INDEXER:9997 <- UniversalForwarder:8089

and used this call:

curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"

In case without indexes.conf in your UF, the curl command returns:

$ curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="WARN">supplied index missing or disabled</msg>
  </messages>
</response>

if you have this entry in indexes.conf in UF,

$ cat indexes.conf 
[main]
[myindex]

then, the call went OK.

$ curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <results>
    <result>
      <field k="_index">
        <value>
          <text>myindex</text>
        </value>
      </field>
      <field k="bytes">
        <value>
          <text>19</text>
        </value>
      </field>
      <field k="host">
        <value>
          <text>127.0.0.1</text>
        </value>
      </field>
      <field k="source">
        <value>
          <text>www</text>
        </value>
      </field>
      <field k="sourcetype">
        <value>
          <text>test</text>
        </value>
      </field>
    </result>
  </results>
</response>
$ 

View solution in original post

0 Karma

dominiquevocat
SplunkTrust
SplunkTrust

maybe this is of some use? https://splunkbase.splunk.com/app/2775/ (soon to be updated in time for .conf 2017 🙂 )

0 Karma

melonman
Motivator

I did Simple test, and found that if you don't have index definition in UF, the rest call will return error, but if you do, it will eat the data.

I am not sure if this is supported or not..

My environment looks like : SH/INDEXER:9997 <- UniversalForwarder:8089

and used this call:

curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"

In case without indexes.conf in your UF, the curl command returns:

$ curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="WARN">supplied index missing or disabled</msg>
  </messages>
</response>

if you have this entry in indexes.conf in UF,

$ cat indexes.conf 
[main]
[myindex]

then, the call went OK.

$ curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <results>
    <result>
      <field k="_index">
        <value>
          <text>myindex</text>
        </value>
      </field>
      <field k="bytes">
        <value>
          <text>19</text>
        </value>
      </field>
      <field k="host">
        <value>
          <text>127.0.0.1</text>
        </value>
      </field>
      <field k="source">
        <value>
          <text>www</text>
        </value>
      </field>
      <field k="sourcetype">
        <value>
          <text>test</text>
        </value>
      </field>
    </result>
  </results>
</response>
$ 
0 Karma

melonman
Motivator

If you want to send to an index that doesn't exist locally, pass "check-index=false" as a GET parameter to the call.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...