Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Send LOG_TYPE data in Splunk using API python

test_accenture
Loves-to-Learn
‎02-10-2022 02:05 AM

I am new to Splunk and my use case is to send a file to Splunk and then Splunk will parse it. Can someone please help me with the code to put the file from my local machine to the Splunk server using API?

I want to automate this task.

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-10-2022 11:40 PM

Depends on what you mean by "send a file to splunk".

There is no API to upload a file for parsing. If you want to parse (do a one-time input) a file, you have to first upload it manually to a server and make sure it's splunk-readable. That's what the splunk's web UI does.

You may however read the file on your own, split it into single events (most probably just split into lines, but not necessarily - especially with XML, json or other similarily formatted events), and sent events to HEC endpoint one by one.

https://docs.splunk.com/Documentation/Splunk/8.2.4/Data/HECExamples

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-10-2022 09:43 PM

If you have files that you want to monitor in your local machine the best way to ingest that into Splunk is to use the monitor.

- Install Universal Forwarder on your local machine.

- Use file monitoring to monitor the files - https://docs.splunk.com/Documentation/Splunk/8.2.4/Data/Monitorfilesanddirectories

- Forward the data from your local UF(Universal Forwarder) to Splunk instance with outputs.conf - https://docs.splunk.com/Documentation/Forwarder/8.2.4/Forwarder/Configureforwardingwithoutputs.conf

 

But if you want to take a little bit longer route and write your own python code to read those files and send data to Splunk, here is the way:

- Write a python script to read the files whatever you want.

- On your Splunk instance, enable the HEC (Http Event Collector), create a new HEC token - https://docs.splunk.com/Documentation/Splunk/8.2.4/Data/UsetheHTTPEventCollector 

- From your Python script send the data that you read from files to Splunk with requests or similar modules. You would need the newly created HEC token for authentication - https://docs.splunk.com/Documentation/Splunk/8.2.4/Data/HECExamples 

(The examples are curl requests, you need to convert them to python code)

0 Karma
Reply

test_accenture
Loves-to-Learn
‎02-10-2022 10:23 PM

So where i will be basically indexing it can you please tell

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-10-2022 11:57 PM

On the splunk server/instance that you are mentioning in both cases.

0 Karma
Reply
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Top