Splunk Dev

Splunk ignores events with many colon inside, how to fix it?

kairat
New Member

I want to send an event using python-sdk.

Event's content "145.255.2.146 - - [2015-12-12:23:08:40 +0100] ""GET /administrator/ HTTP/1.1"" 200 4263 ""-"" ""Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"" ""-"""

If we remove colons event will be sent, please, help me.

The code below doesn't show any mistake, neither add an event to splunk

import splunklib.client as client

service = client.connect(
                        host=HOST,
                        port=PORT,
                        username=USERNAME,
                        password=PASSWORD)
myindex = service.indexes["main"]
mysocket = myindex.attach(sourcetype='access_combined.log',host='local')
mysocket.send(str.encode('"145.255.2.146 - - [2015-12-12:23:08:40 +0100] ""GET /administrator/ HTTP/1.1"" 200 4263 ""-"" ""Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"" ""-"""'))
mysocket.close()
0 Karma

FrankVl
Ultra Champion

Not familiar with this python stuff, so i'll leave that to others to comment on, but I think you mean quote, not colon? At least: I don't see any colons : in your event 🙂

0 Karma

kairat
New Member

The code I provided works, but if I add :, it doesnt send event. I can replace colons, but I wonder why It doesn't work.

Splunk can read events with colons, so that's weird.

0 Karma

kairat
New Member

Colons, I forgot to add it in the event 😞 The original is like
"37.31.31.31 - - [13/Dec/2015:23:08:40 +0100] ""POST /administrator/index.php HTTP/1.1"" 200 4494 ""

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...