Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to send json data via HEC

timyong80
Explorer
‎05-21-2020 12:50 AM

I am using a Python script to send data to Splunk via HEC. There's no problem when curling a simple "Hello World".
However, I would like to curl search results (json format) obtained via a Python script. Here's how the snippet of the Python script to get the results in json format.

alt text

The results look like this:

{'_id': {'$oid': '5ec4f96e67ac75656af5ea5b'}, 'created_at': '2020-05-10T09:33:33.490855', 'appid_caller': 'fg67k78k-7f44-5c90-a1b6-42gf5jjjj00a', 'input': {'target_host': 'portal-azure.cloud.io',
'target_port': 443}, 'output': {'result': False, 'info': 'Application has failed security checks. Drill down the results [array] to find information.', 'results': [{'category': 'hosting', 'result': False, 'title': 'Insecure use of shared hosting subdomain', 'description': "The application uses shared hosting parent domain. Recommended to use (e.g.: *.abc.com, *.abc.cloud, etc).", 'cwe': 348, 'checks': []}]}}

Question is: how do I curl the results (server_info) using HEC? I'm getting an error 400. I'm guessing the problem lies with the 'data' variable where it may not be defined properly. Also, I've tried the endpoints; services/collector and services/collector/event but none worked. When using services/collector/raw endpoint, I did get a response code 200 which indicated successful but jargon data was displayed in Splunk. Below is the post script used.

splunk_headers = {'Authorization': 'Splunk f5t34545-xxxxxc-xxxx-xxxx-xxxx-xxxxxxxx'}
data = {"sourcetype": "server","event": server_info}
response = requests.post('https://server03.na.abc.com:8088/services/collector/event', headers=splunk_headers, data=data, verify=False)

Thank you.

Preview file
1 KB
0 Karma
Reply

anthonymelita
Contributor
‎05-21-2020 05:58 PM

Try setting Content-Type 'application/json' in the headers. This is an example I'm doing using Python requests module.

requests.post("https://hec-server:8088/services/collector", headers={'Authorization': 'Splunk xxxxxxxxxxxxxxxx','Content-Type': 'application/json'}, data=json.dumps({'event': dictVar}), verify="False")

0 Karma
Reply

timyong80
Explorer
‎05-21-2020 10:59 PM

Thanks. I tried using your script but it didnt work. The error message was "Could not find a suitable TLS CA certificate bundle, invalid path: False"

Is dictVar the variable that you have defined for the json results? If so, I replaced it with mine which is server_info.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...