Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk ignores events with many colon inside, how to fix it?

kairat
New Member
‎07-09-2018 08:55 PM

I want to send an event using python-sdk.

Event's content "145.255.2.146 - - [2015-12-12:23:08:40 +0100] ""GET /administrator/ HTTP/1.1"" 200 4263 ""-"" ""Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"" ""-"""

If we remove colons event will be sent, please, help me.

The code below doesn't show any mistake, neither add an event to splunk

import splunklib.client as client

service = client.connect(
                        host=HOST,
                        port=PORT,
                        username=USERNAME,
                        password=PASSWORD)
myindex = service.indexes["main"]
mysocket = myindex.attach(sourcetype='access_combined.log',host='local')
mysocket.send(str.encode('"145.255.2.146 - - [2015-12-12:23:08:40 +0100] ""GET /administrator/ HTTP/1.1"" 200 4263 ""-"" ""Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"" ""-"""'))
mysocket.close()
0 Karma
Reply

FrankVl
Ultra Champion
‎07-10-2018 01:22 AM

Not familiar with this python stuff, so i'll leave that to others to comment on, but I think you mean quote, not colon? At least: I don't see any colons : in your event 🙂

0 Karma
Reply

kairat
New Member
‎07-10-2018 09:31 PM

The code I provided works, but if I add :, it doesnt send event. I can replace colons, but I wonder why It doesn't work.

Splunk can read events with colons, so that's weird.

0 Karma
Reply

kairat
New Member
‎07-10-2018 09:24 PM

Colons, I forgot to add it in the event 😞 The original is like
"37.31.31.31 - - [13/Dec/2015:23:08:40 +0100] ""POST /administrator/index.php HTTP/1.1"" 200 4494 ""

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...