Getting Data In

Using Splunk Universal Forwarder and scripted input to scrape JSON and write to a metrics index

New Member

I've got a HTTP API that produces a JSON payload of metrics. The payload is formatted in a way that also works for POSTing (via cURL) to a Splunk HEC and ultimately getting inserted into a "metrics"-style index. An example of the payload:





    "event": "metric",
    "time": 1618573805075,
    "host": "myhostname",
    "fields": {
        "metric_name:ok.count": 1,
        "metric_name:error.count": 2
        "product_version": "1.2.3",
        "now_unix": 1618573805075052,
        "product_name": "my cool app"





 This works well and I can query the data using





| mpreview index="my_index_name"





I'm trying to setup Splunk Universal Forwarder and using Scripted Input to cURL this endpoint and send it to the Splunk Indexer over port 9997 as per normal. I can see that the metrics endpoint is being "hit" by SUF, but I can't see any data in Splunk.

I have my Splunk-side props.conf as :





KV_MODE = none





My SUF inputs.conf:





interval = 5
index = my_index_name
sourcetype = my_json_metrics_via_suf
disabled = false






Does anyone know what config I'm missing? I can see the data arriving at the Splunk server via `tcpdump`

Labels (3)
0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!