Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

HTTP Event Collector and curl: How to pass the hostname variable in Chef? (BOUNTY!)

a212830
Champion
‎08-30-2016 08:12 AM

Hi,

(Not Splunk questions per say...)

I'm setting up the HTTP Event Collector, so that our chef recipes can log to Splunk and we can have stats on it's usefulness and such...

I was able to communicate in the chef recipe to the HEC, using a basic curl command. Now, I want to pass the hostname of the server where I'm running, but having problems getting that HOSTNAME variable to appear. Wondering if any Linux guru's out there can help me out... OR.... help me map out how chef does an http_request to the Splunk parameters.

So, here's the curl command and the results:

curl -k https://myserver.com:8088/services/collector/event -H 'Authorization: Splunk 7E36213E-03E1-4246-93B9-81931D303A58' -d '{"event": "hello from ""'"$HOSTNAME"'""}'
{"text":"Invalid data format","code":6,"invalid-event-number":0}[a212830@vc2crtp1102248n ~]

If I just say "hello world" it works. But passing in the hostname variable throws a wrench into it.

That said, chef has an http_request function, but I'm not sure how to map the required Splunk parameters to it. Anyone tried it?

http_request 'posting data' do
  action :post
  url 'http://example.com/check_in'
  message ({:some => 'data'}.to_json)
  headers({'AUTHORIZATION' => "Basic #{
    Base64.encode64('username:password')}",
    'Content-Type' => 'application/data'
  })
end
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scottjpack
Explorer
‎08-30-2016 10:26 AM

Definitely more of a curl issue than a HEC issue, but I was able to get it to work right with the following:

curl -k https://<splunk-server>:8088/services/collector/event -H 'Authorization: Splunk <HEC Token>' -d"{\"event\": \"hello $HOSTNAME\", \"index\":\"<Index Name>\", \"host\":\"$HOSTNAME\"}"

View solution in original post

Reply
Solved! Jump to solution

sogema
New Member
‎09-13-2017 03:14 PM

Can I use splunk light cloud for this ? I am trying and it does not work. What URL should I use?

1st attempt
https://prd-p-xxxxxxx.cloud.splunk.com:8088/services/collector/event
result: time out

2nd attempt
https://input-prd-p-XXXXXXX.cloud.splunk.com:8088/services/collector/event
result: time out

3rd attempt
result: time out
https://http-inputs-XXXXXXXX.splunkcloud.com/services/collector/event

0 Karma
Reply
Solved! Jump to solution

gblock_splunk
Splunk Employee
Splunk Employee
‎08-30-2016 11:56 AM

One way is to send "host" in the request as you are doing here. Alternatively you can configure Splunk per token, so it will resolve the host based on the client that is sending. You do this in inputs.conf under the token stanza by setting the connection_host to "ip" or "dns". You can see the setting here

connection_host = [ip|dns|none]
* Specify the host if an event doesn't have host set.
* "ip" sets the host to the IP address of the system sending the data. 
* "dns" sets the host to the reverse DNS entry for IP address of the system sending the data.
* "none" leaves the host as specified in the HTTP header.
Reply
Solved! Jump to solution

a212830
Champion
‎08-30-2016 06:14 PM

fyi for those who have chef and want to do the same thing via http_request:

  http_request 'posting data' do
  action :post
  url "https://myserver.com:8088/services/collector/event"
  message ({:event => "splunk installer complete.  type=#{type}", :host => "#{HOSTNAME} ", :index => "main"}.to_json)
  headers({
    'Authorization' => 'Splunk 7E36213E-03E1-4246-93B9-81931D303A58'
  })
end
0 Karma
Reply
Solved! Jump to solution

gblock_splunk
Splunk Employee
Splunk Employee
‎08-30-2016 06:20 PM

Just to clarify, the config setting above will allow you to configure this on the Splunk side so the client doesn't have to send it.

0 Karma
Reply
Solved! Jump to solution
Solution

scottjpack
Explorer
‎08-30-2016 10:26 AM

Definitely more of a curl issue than a HEC issue, but I was able to get it to work right with the following:

curl -k https://<splunk-server>:8088/services/collector/event -H 'Authorization: Splunk <HEC Token>' -d"{\"event\": \"hello $HOSTNAME\", \"index\":\"<Index Name>\", \"host\":\"$HOSTNAME\"}"
Reply
Solved! Jump to solution

a212830
Champion
‎08-30-2016 10:40 AM

Agreed. Not a HEC issue.

Same error though:

[a212830@vc2crtp1102248n ~]$ echo $HOSTNAME
vc2crtp1102248n.fmr.com
[a212830@vc2crtp1102248n ~]$ curl -k https://myserver.com:8088/services/collector/event -H 'Authorization: Splunk 7E36213E-03E1-4246-93B9-81931D303A58' -d"{\"event\": \"hello $HOSTNAME\", \"index\":\"<Index Name>\", \"host\":\"$HOSTNAME\"}"
{"text":"Incorrect index","code":7,"invalid-event-number":1}[a212830@vc2crtp1102248n ~]$
0 Karma
Reply
Solved! Jump to solution

marco_gomiero
Engager
‎02-13-2020 03:19 AM

it worked very fine for me, tnx!

0 Karma
Reply
Solved! Jump to solution

pinterl
New Member
‎01-22-2018 05:05 PM

Do not use the backslashes (). The command works fine without them.

0 Karma
Reply
Solved! Jump to solution

a212830
Champion
‎08-30-2016 11:33 AM

Bingo! I accepted the answer. Do you automatically get the points?

0 Karma
Reply
Solved! Jump to solution

scottjpack
Explorer
‎08-30-2016 12:07 PM

Looks like they were awarded. Thanks!

0 Karma
Reply
Solved! Jump to solution

scottjpack
Explorer
‎08-30-2016 10:58 AM

Try specifying an index that the HEC has access to write to, I get weird stuff if no index is specified.

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...