Getting Data In

Please help: I want to send data into Splunk Enterprise using API and I want to use Splunk HTTP Event collector

jjoshi6
Explorer

Hello Folks,

I have data in JSON format (data.json). I want to visualize the data by creating a dashboard in Splunk Enterprise. Due to my company structure, I can only use the HTTP event collector (HEC) to send data to Splunk Enterprise. Can anyone please help me with the python based script if you have any template where I have to just enter the token key and URL to make it happen. Please help me as I need it on a quicker basis as it is super important for my project. 

 

Thank you.

Labels (3)

inventsekar
Ultra Champion

Hi @jjoshi6 ... hope you checked the github code and doing fine on your project work.

i assume you are new to Splunk. maybe i would like to suggest you...

1. play with a basic HEC data ingestion. once data from client reaches indexer, try to run SPL searches, try to create a basic dashboard on the HEC ingested data. 

2. when you feel comfortable, then, as per your requirement, create some basic python template for HEC data onboarding. 

3. when you are in doubt, reply us your current position in detail, then, someone can help on your task. 

4. For JSON format data, while searching, remember the command "spath"(field extraction on xml, json logs)(you dont need to write regular expressions for field extraction).

 

~ Happy Splunking | Best Regards | Sekar | PS - Karma points appreciated!

0 Karma

jjoshi6
Explorer
0 Karma

inventsekar
Ultra Champion

Hi @jjoshi6 .. you seems to be newbie to both python and splunk.. so its a big task i would say to a newbie. 

so, lets do this step by step... 

1. have you configured data ingestion from a UF to indexer? 

2. have you configured some "scripted inputs" from a UF to indexer?

3. have you configured a basic HEC data input to indexer..

 

once you done these you will feel more comfortable and then you can check the github page which @richgalloway  (on the other post)and @isoutamo given. hope its clear, all the best to your splunk and python journey!

 

As a new member, you may not know about karma points,.. karma points will show your appreciation. thanks!

jjoshi6
Explorer

@inventsekar 

For all these three questions. I would say NO because I tried to send pseudo using CURL and it worked. 

0 Karma

inventsekar
Ultra Champion

ok sure, have you tried the "scripted input" method of "getting data in"

 

https://docs.splunk.com/Documentation/Splunk/8.1.0/AdvancedDev/ScriptedInputsIntro

 

0 Karma

jjoshi6
Explorer

The permissions that I have for accessing splunk in my company does not allow me to Add Data. That's why I requested you to help me in writing Python Script.

 

@inventsekar 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Hi
This seem so be reasonable example. https://github.com/jyung-hk/hec
You could find lot of other examples from net with google, if this is not suitable for you.
r. Ismo
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...