Using Splunk Universal Forwarder and scripted inpu...

thehowler · ‎04-16-2021

I've got a HTTP API that produces a JSON payload of metrics. The payload is formatted in a way that also works for POSTing (via cURL) to a Splunk HEC and ultimately getting inserted into a "metrics"-style index. An example of the payload:

{
    "event": "metric",
    "time": 1618573805075,
    "host": "myhostname",
    "fields": {
        "metric_name:ok.count": 1,
        "metric_name:error.count": 2
        "product_version": "1.2.3",
        "now_unix": 1618573805075052,
        "product_name": "my cool app"
    }
}

This works well and I can query the data using

| mpreview index="my_index_name"

I'm trying to setup Splunk Universal Forwarder and using Scripted Input to cURL this endpoint and send it to the Splunk Indexer over port 9997 as per normal. I can see that the metrics endpoint is being "hit" by SUF, but I can't see any data in Splunk.

I have my Splunk-side props.conf as :

[my_json_metrics_via_suf]
INDEXED_EXTRACTIONS = json
KV_MODE = none

My SUF inputs.conf:

[script:///opt/splunkforwarder/etc/system/bin/my_curl_script.sh]
interval = 5
index = my_index_name
sourcetype = my_json_metrics_via_suf
disabled = false

Does anyone know what config I'm missing? I can see the data arriving at the Splunk server via `tcpdump`

Using Splunk Universal Forwarder and scripted input to scrape JSON and write to a metrics index

inputs.conf

props.conf

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation