Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

HTTP Event Collector: Is there a working example with cURL on Windows?

fdarrigo
Path Finder
‎02-24-2016 07:46 AM

I've started experimenting with the HTTP event collector recently, and I like what I have seen so far.
There are a few great articles online describing the HTTP architecture with simple examples of using cURL to POST data to an HTTP event collector. However, there are nuances using cURL on Windows and posting multiple values in an event, which are best explained via working code.

The following example posts two events: "Breakfast Order" (simple event) and an event with three breakfast items (more complex event) to a Splunk indexer via the HTTP collector.

curl -k https://10.19.16.101:8088/services/collector/event -H "Authorization: Splunk 982D05B0-8603-4311-A1AF-32462BA47C9F" -d "{\"event\":\"Breakfast Order\"} {\"event\":{\"coffee\":\"double cream double sugar\",\"muffin\":\"blueberry\",\"juice\":\"none\"}}"
{"text":"Success","code":0}

Windows errors when you use the single quotes ' so, change them to double quotes " and escape the other double quotes \"

alt text

Thanks goes to:
Glenn Block for this article http://blogs.splunk.com/2015/10/06/http-event-collector-your-direct-event-pipe-to-splunk-6-3/
And whomever wrote this article: http://dev.splunk.com/view/event-collector/SP-CAAAE7F

Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

fdarrigo
Path Finder
‎02-25-2016 06:14 AM

For a more complete understanding of the http-event-collector, check out the links I referenced above.

View solution in original post

Reply
Solved! Jump to solution

efavreau
Motivator
‎10-10-2019 01:04 PM

This question is a few year old, but here's the latest answer in case someone else needs it...

If your Windows 10 build is 17063 or later, you have curl.exe built into Windows. Source: https://techcommunity.microsoft.com/t5/Containers/Tar-and-Curl-Come-to-Windows/ba-p/382409

How to check your build? Press the Windows key and the r key at the same time, sometimes noted as WIN+R, to open the Run dialog box. Type winver in the run box and press enter.

How to use curl on Windows? Call curl.exe and use parameters Just like curl on Linux or Mac. So your line #1 becomes:

curl.exe -k https://10.19.16.101:8088/services/collector/event -H "Authorization: Splunk 982D05B0-8603-4311-A1AF-32462BA47C9F" -d "{\"event\":\"Breakfast Order\"} {\"event\":{\"coffee\":\"double cream double sugar\",\"muffin\":\"blueberry\",\"juice\":\"none\"}}"
###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Graham_Hanningt
Builder
‎05-05-2016 08:03 PM

I use cURL on Windows for ad hoc EC ingestion. To avoid escaping quotes, I save my JSON to a file, and refer to that file in the curl -d option by prefixing the path with an at sign (@). For example:

-d @ec_input.json

For details, see the curl man page.

I also use a variety of homegrown PowerShell scripts (.ps1), batch files (.bat) - some of which are simply wrappers for curl - and Java programs to send JSON to EC. For example, I use Java to massage JSON lines-formatted event data with an ISO 8601-formatted time stamp field into EC "packets" with a Unix Epoch time metadata field.

0 Karma
Reply
Solved! Jump to solution

Damien_Dallimor
Ultra Champion
‎02-28-2016 02:55 AM

This post may interest you also as a potential alternative to Curl on Windows.

https://answers.splunk.com/answers/373010/powershell-sample-for-http-event-collector.html

0 Karma
Reply
Solved! Jump to solution
Solution

fdarrigo
Path Finder
‎02-25-2016 06:14 AM

For a more complete understanding of the http-event-collector, check out the links I referenced above.

Reply
Solved! Jump to solution

Arpit_S
Path Finder
‎08-30-2019 03:22 AM

Hi @fdarrigo,

I was able to send test events using the below command few days back.

irm -Method Post -Uri "https://URL.com/services/collector/event" -Headers @{Authorization = "Splunk "} -Body '{"event": "test1 "}'

But when I tried sending a test event today it gave me an error.

irm : The underlying connection was closed: An unexpected error occurred on a send.
At line:1 char:1
+ irm -Method Post -Uri "https://URL.com/ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebE
eption
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

Any idea what could be causing this?

Thanks.

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎02-24-2016 04:40 PM

Thanks for sharing @fdarrigo 🙂 Would you actually be able to post your formal answer in the "Enter your answer here..." box below and Accept it? Otherwise, this helpful post will float in limbo as unresolved on Answers. Thanks, and I'll upvote the answer once it's posted. Cheers!

Patrick

0 Karma
Reply
Solved! Jump to solution

gblock_splunk
Splunk Employee
Splunk Employee
‎02-24-2016 08:47 AM

Glad you like it and thanks for sharing!

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...