Hi
Can I call REST Endpoint of Universal Forwarder to pass log data from code?
* not creating new monitor configuration
I am currently using storm to push the data using API call from code.
I am looking for any information how I can do this using universal
forwarder to pass the data to my distributed indexer environment.
Thanks,
I did Simple test, and found that if you don't have index definition in UF, the rest call will return error, but if you do, it will eat the data.
I am not sure if this is supported or not..
My environment looks like : SH/INDEXER:9997 <- UniversalForwarder:8089
and used this call:
curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"
In case without indexes.conf in your UF, the curl command returns:
$ curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="WARN">supplied index missing or disabled</msg>
</messages>
</response>
if you have this entry in indexes.conf in UF,
$ cat indexes.conf
[main]
[myindex]
then, the call went OK.
$ curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"
<?xml version="1.0" encoding="UTF-8"?>
<response>
<results>
<result>
<field k="_index">
<value>
<text>myindex</text>
</value>
</field>
<field k="bytes">
<value>
<text>19</text>
</value>
</field>
<field k="host">
<value>
<text>127.0.0.1</text>
</value>
</field>
<field k="source">
<value>
<text>www</text>
</value>
</field>
<field k="sourcetype">
<value>
<text>test</text>
</value>
</field>
</result>
</results>
</response>
$
maybe this is of some use? https://splunkbase.splunk.com/app/2775/ (soon to be updated in time for .conf 2017 🙂 )
I did Simple test, and found that if you don't have index definition in UF, the rest call will return error, but if you do, it will eat the data.
I am not sure if this is supported or not..
My environment looks like : SH/INDEXER:9997 <- UniversalForwarder:8089
and used this call:
curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"
In case without indexes.conf in your UF, the curl command returns:
$ curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="WARN">supplied index missing or disabled</msg>
</messages>
</response>
if you have this entry in indexes.conf in UF,
$ cat indexes.conf
[main]
[myindex]
then, the call went OK.
$ curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"
<?xml version="1.0" encoding="UTF-8"?>
<response>
<results>
<result>
<field k="_index">
<value>
<text>myindex</text>
</value>
</field>
<field k="bytes">
<value>
<text>19</text>
</value>
</field>
<field k="host">
<value>
<text>127.0.0.1</text>
</value>
</field>
<field k="source">
<value>
<text>www</text>
</value>
</field>
<field k="sourcetype">
<value>
<text>test</text>
</value>
</field>
</result>
</results>
</response>
$
If you want to send to an index that doesn't exist locally, pass "check-index=false" as a GET parameter to the call.