Using Splunk Universal Forwarder and scripted inpu...

thehowler · ‎04-16-2021

I've got a HTTP API that produces a JSON payload of metrics. The payload is formatted in a way that also works for POSTing (via cURL) to a Splunk HEC and ultimately getting inserted into a "metrics"-style index. An example of the payload:

{
    "event": "metric",
    "time": 1618573805075,
    "host": "myhostname",
    "fields": {
        "metric_name:ok.count": 1,
        "metric_name:error.count": 2
        "product_version": "1.2.3",
        "now_unix": 1618573805075052,
        "product_name": "my cool app"
    }
}

This works well and I can query the data using

| mpreview index="my_index_name"

I'm trying to setup Splunk Universal Forwarder and using Scripted Input to cURL this endpoint and send it to the Splunk Indexer over port 9997 as per normal. I can see that the metrics endpoint is being "hit" by SUF, but I can't see any data in Splunk.

I have my Splunk-side props.conf as :

[my_json_metrics_via_suf]
INDEXED_EXTRACTIONS = json
KV_MODE = none

My SUF inputs.conf:

[script:///opt/splunkforwarder/etc/system/bin/my_curl_script.sh]
interval = 5
index = my_index_name
sourcetype = my_json_metrics_via_suf
disabled = false

Does anyone know what config I'm missing? I can see the data arriving at the Splunk server via `tcpdump`

Using Splunk Universal Forwarder and scripted input to scrape JSON and write to a metrics index

inputs.conf

props.conf

universal forwarder

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>

Using Splunk Universal Forwarder and scripted input to scrape JSON and write to a metrics index

inputs.conf

props.conf

universal forwarder

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>