Getting Data In

Forwarder Installed, how do I send my data to Splunk ?

mramsdale
Engager

Hi,

I am working at a corporation,  using Splunk on my browsers.  I have installed the windows forwarder and configured my user name and the Splunk server (client side).  I used the URL and the port number from the browser URL of the corporate Splunk server..

Now I want to be able to send lab data to Splunk, I don't want to monitor anything on the windows system.  The PC is just a means to run a script that can collect data from some instruments.

I was thinking the forwarder would allow me to then use some types of commands within my script (Python) to send data.  I cold write to a file, but would prefer to send data live with some kind of command.

How can this be done, is there a specific documentation for this type of activity?

Maybe I need to write to a file, let the forwarder monitor that file, and continuously overwrite that file, assuming the forwarder would look at the like on some sort of periodic basis, like 20s or 60s.

I would appreciate any general guidance on this, especially if there is documentation to use 🙂


Labels (1)
Tags (3)
0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Agree with the HEC recommendation. Start with docs here.

Note that you will use a different url/port then the one you use to access the Splunk UI. Your admin will have to configure the HEC listener on the indexer side and provide you with a load-balanced VIP address to use on your client. The default port is 8088, but it may be different depending on what your Splunk admin configured.

Assuming an existing Splunk indexing environment has been configured at your company already, you can instead go the file monitoring route and send data to indexers using the Splunk-to-Splunk protocol with the universal forwarder configured to talk to your company's indexers (outputs.conf).  Again, you wouldn't use your URL/port for the search head. By default, indexers will listen on port 9997 for data from forwarders (unless your admin set it up differently).

BTW, file monitoring by the UF is a continuous process (no periodic polling per-se) and provides you with a certain amount of resiliency against transient failure conditions you would otherwise need to handle in your application script, if going the HEC route. On top of that, the UF can also monitor files and send it over HTTP in latest product releases (httpout), so a combination of both methods is possible.

 

richgalloway
SplunkTrust
SplunkTrust

Writing data to a file monitored by a UF is a simple, quick, and easy way to get data into Splunk.  Forwarders read the data almost as soon as it's written.

Consider having your Python script write data directly to Splunk using HTTP Event Collector (HEC).  See https://github.com/georgestarcher/Splunk-Class-httpevent

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...