How to send multiple events in one HTTP Even Colle...

rolyrolex · ‎04-07-2022

Hello,

I want to know if it's possible to upload files in Splunk Cloud through the Http Collector or other way ?

Now i have a file with lines as events and i'm making an htttp request for each lines to load events in Splunk.

Do you have another solution please ?

Thanks !!

rolyrolex · ‎04-14-2022

Thank you very much for all you responses.

Just one last thing;

i'm using Powershell to send data and i don't know how to send multiple events in powershell

VatsalJagani · ‎04-14-2022

I'm not familiar with PowerShell as much but the format of API calls would remain the same.

You just put one event followed by other events without space.

{event1:......}{event2:.....}{event2:....}

etc.

rolyrolex · ‎04-13-2022

Thank you for your answer @VatsalJagani !

My events a formated in JSON like this :
{
"host": stream",
"sourcetype": "testlog",
"time": "2022-03-08T13:00:14.3360600+01:00",
"event": {
"Delay Time": "0 Sec",
"OrderNumber": "4278191",
"Key / CLE": "1K63537000VP74003965",
"Printer Name": "ZM40"
}
}
{
"host": "stream",
"sourcetype": "testlog",
"time": "2022-03-08T13:00:14.3360600+01:00",
"event": {
"Delay Time": "0 Sec",
"OrderNumber": "4278",
"Key / CLE": "1K63537000VP7",
"Printer Name": "ZM400
}
}

can i still send them ?

PickleRick · ‎04-13-2022

Close. But hour event field has to be a string, not a json structure.

VatsalJagani · ‎04-13-2022

@PickleRick

Is it documented somewhere? Because the doc says it's possible to have JSON object as an event.

https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/FormateventsforHTTPEventCollector (Example-2)

Also, batch data does not mention that it cannot be JSON object events.

VatsalJagani · ‎04-15-2022

@rolyrolex - Kindly accept the answer in case if it resolves your issue. Thanks!!

PickleRick · ‎04-13-2022

Sorry, you're right, I stand corrected. I must have mistaken it with another functionality.

VatsalJagani · ‎04-13-2022

Yes, you can send multiple events even with JSON format.

Reference - https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/FormateventsforHTTPEventCollector (Though this document only provides normal string in a batch mode, there is no restriction for it to apply on JSON type events)

VatsalJagani · ‎04-07-2022

@rolyrolex - You cannot upload the file directly to the Splunk HEC endpoint (/services/collector) but you can make requests with multiple events in one endpoint call.

curl "https://mysplunkserver.example.com:8088/services/collector" \
    -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
    -d '{"event": "Pony 1 has left the barn"}{"event": "Pony 2 has left the barn"}{"event": "Pony 3 has left the barn", "nested": {"key1": "value1"}}'

https://docs.splunk.com/Documentation/Splunk/latest/Data/HECExamples (Look at the second example)

If you are using the raw endpoint of HEC (/services/collector/raw) then you can read and upload the whole content of the file, but then you need to write proper props.conf configuration to parse/line-breaking/line-merging/timestamp parsing.

I hope this helps, if it does consider upvote!!!

(Look at the 4th example in above link)

How to send multiple events in one HTTP Even Collector call?

using Splunk Cloud

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services