Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

HTTP Event Collector: Is it possible to send multiple events in one API call?

vyarchak
Engager
‎10-13-2016 03:28 PM

In HTTP Event Collector, is it possible to send multiple events in one API call? I tried setting line break properties in props.conf, but unfortunately that did not help. Here's what my props.conf look like now:

 [host::localhost]
 SHOULD_LINEMERGE = false
 LINE_BREAKER = \"event
 #TIME_PREFIX = sstime\"\:
 #MAX_TIMESTAMP_LOOKAHEAD = 10
 #TIME_FORMAT = %s

Here's my curl call as an example:

curl http://example.com:8088/services/collector/raw?channel=HIDDENC0-FCH1-46HE-96HA-HIDDENFBC4AB -H 'Authorization: Splunk HIDDEN88-C2GC-4FE6-5982-B245881A8847' -d '{"event":{"host":"localhost","sourcetype":"txt","index":"b","SeqID":1,"TypeID":1,"Name":"test1","Detail":"test event1","Session":"1","Time":"2016/09/19 00:00:00"},"event":{"host":"localhost","sourcetype":"txt","index":"b","SeqID":2,"TypeID":2,"Name":"test2","Detail":"test event 2","Session":"2","Time":"2016/09/20 00:00:00"}}'

What am I doing wrong? How can I create 2 event entries in Splunk with one API call?

Reply

starcher
Influencer
‎10-15-2016 09:25 AM

You can see example python code with batch mode: http://blogs.splunk.com/2015/12/11/http-event-collect-a-python-class/

0 Karma
Reply

starcher
Influencer
‎10-16-2016 06:43 AM

I also just updated the python code in the repo to add raw input support for Splunk v6.4+.

0 Karma
Reply

dasaed
Explorer
‎03-08-2023 10:00 AM

the link to the python is broken. Would you happen to have an updated link?

0 Karma
Reply

msivill_splunk
Splunk Employee
Splunk Employee
‎10-14-2016 12:52 AM

http://dev.splunk.com/view/event-collector/SP-CAAAE6P covers the format of batch events within the HTTP event collector.

Following the below examples you will not need to worry about things like LINE_BREAKER in props.conf

Just ensure things like time, host, source are broken out from the event itself (so your original JSON will need some tweaking). This applies when using the https://example.com:8088/services/collector/event endpoint not the http://example.com:8088/services/collector/raw endpoint.

From the link......

{
    "time": 1437522387,
    "host": "dataserver992.example.com",
    "source": "testapp",
    "event": { 
        "message": "Something happened",
        "severity": "INFO"
    }
}

To batch (from link)......

{
  "event":"event 1", 
  "time": 1447828325
}

{
  "event":"event 2", 
  "time": 1447828326
}

Combining these you would have something like this

{
    "time": 1437522387,
    "host": "dataserver992.example.com",
    "source": "testapp",
    "event": { 
        "message": "Something happened",
        "severity": "INFO"
    }
}

{
    "time": 1437522388,
    "host": "dataserver993.example.com",
    "source": "testapp",
    "event": { 
        "message": "Something else happened",
        "severity": "DEBUG"
    }
}
Reply

DjNaGuRo
Explorer
‎05-28-2021 06:38 AM

Hi!

Please, how can we construct stacked (or batched) json object events from a file's rows ?

Reply

unitedmarsupial
Path Finder
‎12-04-2019 06:21 PM

I've reimplemented my own Python forwarder to batch-up the events like this, and things seem to be faster. Is there a server-side limit on the length of the event-list, however?

0 Karma
Reply

msivill_splunk
Splunk Employee
Splunk Employee
‎12-05-2019 12:36 AM

max_content_length looks like the setting you are after as defined in limits.conf - https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Bhttp_input.5D

You might want to consider making your Python code configurable to handle this in case admins have changed this limit on the Splunk server.

0 Karma
Reply

dave_maclean
Explorer
‎03-01-2017 09:57 AM

I'm curious why a JSON array can't be used to pass multiple events to the HTTP Event Collector. "Stacking" events isn't valid JSON, which means I have to deal with that on the sending side.

Reply

DjNaGuRo
Explorer
‎05-29-2021 12:36 AM

Please @dave_maclean, how did you deal with stacked JSON objects construction ?

I've to construct it from the row of my file but I've faced problem with that in python such as "EOL ...", "Can't concat string with dict..."

Thanks in advance to anyone who can help me to resolve this issue.

Reply

starcher
Influencer
‎03-01-2017 09:59 AM

You can submit batch events in a post. See example code in my answer above.

0 Karma
Reply

mattilehtinen
Engager
‎01-09-2020 10:46 PM

upvoting the question and downvoting the answer - since not the answer to dave.maclean's question. Why is it required to do the "stacking" hacks on the sending side instead of following the standard?

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...