Getting Data In

HTTP Event Collector: Is it possible to send multiple events in one API call?

vyarchak
Engager

In HTTP Event Collector, is it possible to send multiple events in one API call? I tried setting line break properties in props.conf, but unfortunately that did not help. Here's what my props.conf look like now:

 [host::localhost]
 SHOULD_LINEMERGE = false
 LINE_BREAKER = \"event
 #TIME_PREFIX = sstime\"\:
 #MAX_TIMESTAMP_LOOKAHEAD = 10
 #TIME_FORMAT = %s

Here's my curl call as an example:

curl http://example.com:8088/services/collector/raw?channel=HIDDENC0-FCH1-46HE-96HA-HIDDENFBC4AB -H 'Authorization: Splunk HIDDEN88-C2GC-4FE6-5982-B245881A8847' -d '{"event":{"host":"localhost","sourcetype":"txt","index":"b","SeqID":1,"TypeID":1,"Name":"test1","Detail":"test event1","Session":"1","Time":"2016/09/19 00:00:00"},"event":{"host":"localhost","sourcetype":"txt","index":"b","SeqID":2,"TypeID":2,"Name":"test2","Detail":"test event 2","Session":"2","Time":"2016/09/20 00:00:00"}}'

What am I doing wrong? How can I create 2 event entries in Splunk with one API call?

starcher
SplunkTrust
SplunkTrust

You can see example python code with batch mode: http://blogs.splunk.com/2015/12/11/http-event-collect-a-python-class/

0 Karma

starcher
SplunkTrust
SplunkTrust

I also just updated the python code in the repo to add raw input support for Splunk v6.4+.

0 Karma

dasaed
Explorer

the link to the python is broken. Would you happen to have an updated link?

0 Karma

msivill_splunk
Splunk Employee
Splunk Employee

http://dev.splunk.com/view/event-collector/SP-CAAAE6P covers the format of batch events within the HTTP event collector.

Following the below examples you will not need to worry about things like LINE_BREAKER in props.conf

Just ensure things like time, host, source are broken out from the event itself (so your original JSON will need some tweaking). This applies when using the https://example.com:8088/services/collector/event endpoint not the http://example.com:8088/services/collector/raw endpoint.

From the link......

{
    "time": 1437522387,
    "host": "dataserver992.example.com",
    "source": "testapp",
    "event": { 
        "message": "Something happened",
        "severity": "INFO"
    }
}

To batch (from link)......

{
  "event":"event 1", 
  "time": 1447828325
}

{
  "event":"event 2", 
  "time": 1447828326
}

Combining these you would have something like this

{
    "time": 1437522387,
    "host": "dataserver992.example.com",
    "source": "testapp",
    "event": { 
        "message": "Something happened",
        "severity": "INFO"
    }
}

{
    "time": 1437522388,
    "host": "dataserver993.example.com",
    "source": "testapp",
    "event": { 
        "message": "Something else happened",
        "severity": "DEBUG"
    }
}

DjNaGuRo
Explorer

Hi!

Please, how can we construct stacked (or batched) json object events from a file's rows ?

unitedmarsupial
Path Finder

I've reimplemented my own Python forwarder to batch-up the events like this, and things seem to be faster. Is there a server-side limit on the length of the event-list, however?

0 Karma

msivill_splunk
Splunk Employee
Splunk Employee

max_content_length looks like the setting you are after as defined in limits.conf - https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Bhttp_input.5D

You might want to consider making your Python code configurable to handle this in case admins have changed this limit on the Splunk server.

0 Karma

dave_maclean
Explorer

I'm curious why a JSON array can't be used to pass multiple events to the HTTP Event Collector. "Stacking" events isn't valid JSON, which means I have to deal with that on the sending side.

DjNaGuRo
Explorer

Please @dave_maclean, how did you deal with stacked JSON objects construction ?

I've to construct it from the row of my file but I've faced problem with that in python such as "EOL ...", "Can't concat string with dict..."

Thanks in advance to anyone who can help me to resolve this issue.

starcher
SplunkTrust
SplunkTrust

You can submit batch events in a post. See example code in my answer above.

0 Karma

mattilehtinen
Engager

upvoting the question and downvoting the answer - since not the answer to dave.maclean's question. Why is it required to do the "stacking" hacks on the sending side instead of following the standard?

Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...