Getting Data In

HTTP Event Collector: Is there a working example with cURL on Windows?

Path Finder

I've started experimenting with the HTTP event collector recently, and I like what I have seen so far.
There are a few great articles online describing the HTTP architecture with simple examples of using cURL to POST data to an HTTP event collector. However, there are nuances using cURL on Windows and posting multiple values in an event, which are best explained via working code.

The following example posts two events: "Breakfast Order" (simple event) and an event with three breakfast items (more complex event) to a Splunk indexer via the HTTP collector.

curl -k https://10.19.16.101:8088/services/collector/event -H "Authorization: Splunk 982D05B0-8603-4311-A1AF-32462BA47C9F" -d "{\"event\":\"Breakfast Order\"} {\"event\":{\"coffee\":\"double cream double sugar\",\"muffin\":\"blueberry\",\"juice\":\"none\"}}"
{"text":"Success","code":0}

Windows errors when you use the single quotes ' so, change them to double quotes " and escape the other double quotes \"

alt text

Thanks goes to:
Glenn Block for this article http://blogs.splunk.com/2015/10/06/http-event-collector-your-direct-event-pipe-to-splunk-6-3/
And whomever wrote this article: http://dev.splunk.com/view/event-collector/SP-CAAAE7F

1 Solution

Path Finder

For a more complete understanding of the http-event-collector, check out the links I referenced above.

View solution in original post

Builder

This question is a few year old, but here's the latest answer in case someone else needs it...

If your Windows 10 build is 17063 or later, you have curl.exe built into Windows. Source: https://techcommunity.microsoft.com/t5/Containers/Tar-and-Curl-Come-to-Windows/ba-p/382409

How to check your build? Press the Windows key and the r key at the same time, sometimes noted as WIN+R, to open the Run dialog box. Type winver in the run box and press enter.

How to use curl on Windows? Call curl.exe and use parameters Just like curl on Linux or Mac. So your line #1 becomes:

curl.exe -k https://10.19.16.101:8088/services/collector/event -H "Authorization: Splunk 982D05B0-8603-4311-A1AF-32462BA47C9F" -d "{\"event\":\"Breakfast Order\"} {\"event\":{\"coffee\":\"double cream double sugar\",\"muffin\":\"blueberry\",\"juice\":\"none\"}}"
###

If this reply helps you, an upvote would be appreciated.
0 Karma

I use cURL on Windows for ad hoc EC ingestion. To avoid escaping quotes, I save my JSON to a file, and refer to that file in the curl -d option by prefixing the path with an at sign (@). For example:

-d @ec_input.json

For details, see the curl man page.

I also use a variety of homegrown PowerShell scripts (.ps1), batch files (.bat) - some of which are simply wrappers for curl - and Java programs to send JSON to EC. For example, I use Java to massage JSON lines-formatted event data with an ISO 8601-formatted time stamp field into EC "packets" with a Unix Epoch time metadata field.

0 Karma

Ultra Champion

This post may interest you also as a potential alternative to Curl on Windows.

https://answers.splunk.com/answers/373010/powershell-sample-for-http-event-collector.html

0 Karma

Path Finder

For a more complete understanding of the http-event-collector, check out the links I referenced above.

View solution in original post

Path Finder

Hi @fdarrigo,

I was able to send test events using the below command few days back.

irm -Method Post -Uri "https://URL.com/services/collector/event" -Headers @{Authorization = "Splunk "} -Body '{"event": "test1 "}'

But when I tried sending a test event today it gave me an error.

irm : The underlying connection was closed: An unexpected error occurred on a send.
At line:1 char:1
+ irm -Method Post -Uri "https://URL.com/ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebE
eption
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

Any idea what could be causing this?

Thanks.

0 Karma

Community Manager
Community Manager

Thanks for sharing @fdarrigo 🙂 Would you actually be able to post your formal answer in the "Enter your answer here..." box below and Accept it? Otherwise, this helpful post will float in limbo as unresolved on Answers. Thanks, and I'll upvote the answer once it's posted. Cheers!

Patrick

0 Karma

Splunk Employee
Splunk Employee

Glad you like it and thanks for sharing!

0 Karma