Getting Data In

Using Splunk Universal Forwarder and scripted input to scrape JSON and write to a metrics index

New Member

I've got a HTTP API that produces a JSON payload of metrics. The payload is formatted in a way that also works for POSTing (via cURL) to a Splunk HEC and ultimately getting inserted into a "metrics"-style index. An example of the payload:





    "event": "metric",
    "time": 1618573805075,
    "host": "myhostname",
    "fields": {
        "metric_name:ok.count": 1,
        "metric_name:error.count": 2
        "product_version": "1.2.3",
        "now_unix": 1618573805075052,
        "product_name": "my cool app"





 This works well and I can query the data using





| mpreview index="my_index_name"





I'm trying to setup Splunk Universal Forwarder and using Scripted Input to cURL this endpoint and send it to the Splunk Indexer over port 9997 as per normal. I can see that the metrics endpoint is being "hit" by SUF, but I can't see any data in Splunk.

I have my Splunk-side props.conf as :





KV_MODE = none





My SUF inputs.conf:





interval = 5
index = my_index_name
sourcetype = my_json_metrics_via_suf
disabled = false






Does anyone know what config I'm missing? I can see the data arriving at the Splunk server via `tcpdump`

Labels (3)
0 Karma
Get Updates on the Splunk Community!

tag as datamodel attribute

I'm confused a bit. I use CIM datamodels.The "tag" field is both a filter for choosing events applicable to a ...

Running multiple macros in the same search

Hi all!I'm trying to run multiple macros in the same search and eventually aggregate the results from each ...

Not deployed Error for one of the app in deployment server.

One app is not downloading into deployment server, whereas similar domain servers have downloaded ...