Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Dev
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- How to fix the error: Splunk HEC too many values t...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Juan_Leon
Explorer
04-26-2023
02:25 PM
Hello, I am using python to test sending events to splunk via hec, but I am getting the following error. this error is more of a python issue than splunk, I was wondering if any one had similar issue or have a suggestion. Thank you.
user_data_str looks like below
{
"GivenName": "MyName",
"sn": "MyLastN",
"UserPrincipalName": "MyName@client.com",
"sAMAccountName": "mysama",
"enabled": "[]",
"co": "United States",
"sourcetype": "my_hec_test",
"time": 9999999999.8921528
}
Header looks like below
{
'Authorization': 'Splunk abcdefgh-1234-ijkl-5678-mnopqrstu123456'
}
user_data_str include 3 users similar to above example
>>> print(range(len(user_data_str)))
range(0, 3)
>>> type(user_data_str)
<class 'list'>
>>> type(header)
<class 'dict'>
>>>
>>> requests.post('https://hec.splunkcloud.com/services/collector/event', headers = header, data = user_data_str, verify=False)
Traceback (most recent call last):
...
...
...
...
ValueError: too many values to unpack (expected 2)
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeahnah
Motivator
04-26-2023
05:13 PM
Hi @Juan_Leon
Try it this way...
>>> import requests
>>> import json
>>> url='https://splunk-hec-url:8088/services/collector/event'
>>> authHeader = {'Authorization': 'Splunk my_token_value'}
>>> json_data = '''{
"sourcetype": "_json",
"event": [{
"GivenName": "MyName",
"sn": "MyLastN",
"UserPrincipalName": "MyName@client.com",
"sAMAccountName": "mysama",
"enabled": "[]",
"co": "United States",
"time": 9999999999.8921528
},
{
"GivenName": "MyName",
"sn": "MyLastN",
"UserPrincipalName": "MyName@client.com",
"sAMAccountName": "mysama",
"enabled": "[]",
"co": "Canada",
"time": 9999999999.9999999
}
]
}'''
>>> data = json.loads(json_data)
>>> type(data)
<class 'dict'>
>>> r = requests.post(url, headers=authHeader, json=data, verify=False)
>>> print(r.text)
{"text":"Success","code":0}
>>>
>>> event = '''
{
"sourcetype": "my_hec_test",
"event":{
"GivenName": "MyName",
"sn": "MyLastN",
"UserPrincipalName": "MyName@client.com",
"sAMAccountName": "mysama",
"enabled": "[]",
"co": "United States"
}
}
{
"sourcetype": "my_hec_test",
"event":{
"GivenName": "MyName",
"sn": "MyLastN",
"UserPrincipalName": "MyName@client.com",
"sAMAccountName": "mysama",
"enabled": "[]",
"co": "Canada"
}
}
'''
>>> r = requests.post(url, headers=authHeader, data=event, verify=False)
>>> print(r.text)
{"text":"Success","code":0}
Hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeahnah
Motivator
04-26-2023
05:13 PM
Hi @Juan_Leon
Try it this way...
>>> import requests
>>> import json
>>> url='https://splunk-hec-url:8088/services/collector/event'
>>> authHeader = {'Authorization': 'Splunk my_token_value'}
>>> json_data = '''{
"sourcetype": "_json",
"event": [{
"GivenName": "MyName",
"sn": "MyLastN",
"UserPrincipalName": "MyName@client.com",
"sAMAccountName": "mysama",
"enabled": "[]",
"co": "United States",
"time": 9999999999.8921528
},
{
"GivenName": "MyName",
"sn": "MyLastN",
"UserPrincipalName": "MyName@client.com",
"sAMAccountName": "mysama",
"enabled": "[]",
"co": "Canada",
"time": 9999999999.9999999
}
]
}'''
>>> data = json.loads(json_data)
>>> type(data)
<class 'dict'>
>>> r = requests.post(url, headers=authHeader, json=data, verify=False)
>>> print(r.text)
{"text":"Success","code":0}
>>>
>>> event = '''
{
"sourcetype": "my_hec_test",
"event":{
"GivenName": "MyName",
"sn": "MyLastN",
"UserPrincipalName": "MyName@client.com",
"sAMAccountName": "mysama",
"enabled": "[]",
"co": "United States"
}
}
{
"sourcetype": "my_hec_test",
"event":{
"GivenName": "MyName",
"sn": "MyLastN",
"UserPrincipalName": "MyName@client.com",
"sAMAccountName": "mysama",
"enabled": "[]",
"co": "Canada"
}
}
'''
>>> r = requests.post(url, headers=authHeader, data=event, verify=False)
>>> print(r.text)
{"text":"Success","code":0}
Hope it helps
Get Updates on the Splunk Community!
OpenTelemetry for Legacy Apps? Yes, You Can!
This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...
UCC Framework: Discover Developer Toolkit for Building Technology Add-ons
The Next-Gen Toolkit for Splunk Technology Add-on Development
The Universal Configuration Console (UCC) ...
.conf25 Community Recap
Hello Splunkers,
And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...
