Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Send LOG_TYPE data in Splunk using API python

test_accenture
Loves-to-Learn
‎02-10-2022 02:05 AM

I am new to Splunk and my use case is to send a file to Splunk and then Splunk will parse it. Can someone please help me with the code to put the file from my local machine to the Splunk server using API?

I want to automate this task.

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-10-2022 11:40 PM

Depends on what you mean by "send a file to splunk".

There is no API to upload a file for parsing. If you want to parse (do a one-time input) a file, you have to first upload it manually to a server and make sure it's splunk-readable. That's what the splunk's web UI does.

You may however read the file on your own, split it into single events (most probably just split into lines, but not necessarily - especially with XML, json or other similarily formatted events), and sent events to HEC endpoint one by one.

https://docs.splunk.com/Documentation/Splunk/8.2.4/Data/HECExamples

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-10-2022 09:43 PM

If you have files that you want to monitor in your local machine the best way to ingest that into Splunk is to use the monitor.

- Install Universal Forwarder on your local machine.

- Use file monitoring to monitor the files - https://docs.splunk.com/Documentation/Splunk/8.2.4/Data/Monitorfilesanddirectories

- Forward the data from your local UF(Universal Forwarder) to Splunk instance with outputs.conf - https://docs.splunk.com/Documentation/Forwarder/8.2.4/Forwarder/Configureforwardingwithoutputs.conf

 

But if you want to take a little bit longer route and write your own python code to read those files and send data to Splunk, here is the way:

- Write a python script to read the files whatever you want.

- On your Splunk instance, enable the HEC (Http Event Collector), create a new HEC token - https://docs.splunk.com/Documentation/Splunk/8.2.4/Data/UsetheHTTPEventCollector 

- From your Python script send the data that you read from files to Splunk with requests or similar modules. You would need the newly created HEC token for authentication - https://docs.splunk.com/Documentation/Splunk/8.2.4/Data/HECExamples 

(The examples are curl requests, you need to convert them to python code)

0 Karma
Reply

test_accenture
Loves-to-Learn
‎02-10-2022 10:23 PM

So where i will be basically indexing it can you please tell

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-10-2022 11:57 PM

On the splunk server/instance that you are mentioning in both cases.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top