I've got a HTTP API that produces a JSON payload of metrics. The payload is formatted in a way that also works for POSTing (via cURL) to a Splunk HEC and ultimately getting inserted into a "metrics"-style index. An example of the payload:
{
"event": "metric",
"time": 1618573805075,
"host": "myhostname",
"fields": {
"metric_name:ok.count": 1,
"metric_name:error.count": 2
"product_version": "1.2.3",
"now_unix": 1618573805075052,
"product_name": "my cool app"
}
}
This works well and I can query the data using
| mpreview index="my_index_name"
I'm trying to setup Splunk Universal Forwarder and using Scripted Input to cURL this endpoint and send it to the Splunk Indexer over port 9997 as per normal. I can see that the metrics endpoint is being "hit" by SUF, but I can't see any data in Splunk.
I have my Splunk-side props.conf as :
[my_json_metrics_via_suf]
INDEXED_EXTRACTIONS = json
KV_MODE = none
My SUF inputs.conf:
[script:///opt/splunkforwarder/etc/system/bin/my_curl_script.sh]
interval = 5
index = my_index_name
sourcetype = my_json_metrics_via_suf
disabled = false
Does anyone know what config I'm missing? I can see the data arriving at the Splunk server via `tcpdump`