Getting Data In

Please help: I want to send data into Splunk Enterprise using API and I want to use Splunk HTTP Event collector

jjoshi6
Explorer

Hello Folks,

I have data in JSON format (data.json). I want to visualize the data by creating a dashboard in Splunk Enterprise. Due to my company structure, I can only use the HTTP event collector (HEC) to send data to Splunk Enterprise. Can anyone please help me with the python based script if you have any template where I have to just enter the token key and URL to make it happen. Please help me as I need it on a quicker basis as it is super important for my project. 

 

Thank you.

Labels (3)

inventsekar
SplunkTrust
SplunkTrust

Hi @jjoshi6 ... hope you checked the github code and doing fine on your project work.

i assume you are new to Splunk. maybe i would like to suggest you...

1. play with a basic HEC data ingestion. once data from client reaches indexer, try to run SPL searches, try to create a basic dashboard on the HEC ingested data. 

2. when you feel comfortable, then, as per your requirement, create some basic python template for HEC data onboarding. 

3. when you are in doubt, reply us your current position in detail, then, someone can help on your task. 

4. For JSON format data, while searching, remember the command "spath"(field extraction on xml, json logs)(you dont need to write regular expressions for field extraction).

 

~ Happy Splunking | Best Regards | Sekar | PS - Karma points appreciated!

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

jjoshi6
Explorer
0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @jjoshi6 .. you seems to be newbie to both python and splunk.. so its a big task i would say to a newbie. 

so, lets do this step by step... 

1. have you configured data ingestion from a UF to indexer? 

2. have you configured some "scripted inputs" from a UF to indexer?

3. have you configured a basic HEC data input to indexer..

 

once you done these you will feel more comfortable and then you can check the github page which @richgalloway  (on the other post)and @isoutamo given. hope its clear, all the best to your splunk and python journey!

 

As a new member, you may not know about karma points,.. karma points will show your appreciation. thanks!

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

jjoshi6
Explorer

@inventsekar 

For all these three questions. I would say NO because I tried to send pseudo using CURL and it worked. 

0 Karma

inventsekar
SplunkTrust
SplunkTrust

ok sure, have you tried the "scripted input" method of "getting data in"

 

https://docs.splunk.com/Documentation/Splunk/8.1.0/AdvancedDev/ScriptedInputsIntro

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

jjoshi6
Explorer

The permissions that I have for accessing splunk in my company does not allow me to Add Data. That's why I requested you to help me in writing Python Script.

 

@inventsekar 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Hi
This seem so be reasonable example. https://github.com/jyung-hk/hec
You could find lot of other examples from net with google, if this is not suitable for you.
r. Ismo
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...