Getting Data In

How to Send LOG_TYPE data in Splunk using API python

test_accenture
Loves-to-Learn

I am new to Splunk and my use case is to send a file to Splunk and then Splunk will parse it. Can someone please help me with the code to put the file from my local machine to the Splunk server using API?

I want to automate this task.

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Depends on what you mean by "send a file to splunk".

There is no API to upload a file for parsing. If you want to parse (do a one-time input) a file, you have to first upload it manually to a server and make sure it's splunk-readable. That's what the splunk's web UI does.

You may however read the file on your own, split it into single events (most probably just split into lines, but not necessarily - especially with XML, json or other similarily formatted events), and sent events to HEC endpoint one by one.

https://docs.splunk.com/Documentation/Splunk/8.2.4/Data/HECExamples

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

If you have files that you want to monitor in your local machine the best way to ingest that into Splunk is to use the monitor.

- Install Universal Forwarder on your local machine.

- Use file monitoring to monitor the files - https://docs.splunk.com/Documentation/Splunk/8.2.4/Data/Monitorfilesanddirectories

- Forward the data from your local UF(Universal Forwarder) to Splunk instance with outputs.conf - https://docs.splunk.com/Documentation/Forwarder/8.2.4/Forwarder/Configureforwardingwithoutputs.conf

 

But if you want to take a little bit longer route and write your own python code to read those files and send data to Splunk, here is the way:

- Write a python script to read the files whatever you want.

- On your Splunk instance, enable the HEC (Http Event Collector), create a new HEC token - https://docs.splunk.com/Documentation/Splunk/8.2.4/Data/UsetheHTTPEventCollector 

- From your Python script send the data that you read from files to Splunk with requests or similar modules. You would need the newly created HEC token for authentication - https://docs.splunk.com/Documentation/Splunk/8.2.4/Data/HECExamples 

(The examples are curl requests, you need to convert them to python code)

0 Karma

test_accenture
Loves-to-Learn

So where i will be basically indexing it can you please tell

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

On the splunk server/instance that you are mentioning in both cases.

0 Karma
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...