Hi
In the example below, I clearly understand that the "hello world" will be updated in a Splunk event
{
"time": 1426279439, // epoch time
"host": "localhost",
"source": "random-data-generator",
"sourcetype": "my_sample_data",
"index": "main",
"event": "Hello world!"
}
curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":"hello world"}'
Now imagine that my json file contains many items like below
{
"time": 1426279439, // epoch time
"host": "localhost",
"source": "random-data-generator",
"sourcetype": "my_sample_data",
"index": "main",
"event": "Hello world!"
}
{
"time": 1426279538, // epoch time
"host": "localhost",
"source": "random-data-generator",
"sourcetype": "my_sample_data",
"index": "main",
"event": "Hello eveybody!"
}
Is the curl command to use should be like this?
curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":}'
Last question : instead using a prompt command to send the json logs in Splunk, is it possible to use a json script to do that? Or something else
Is anybody has good examples of that?
thanks
No.
As @bowesmana already told you - the -d "something" option sends the data you specify on the command line. If you want the data to be read from the file you have to specify it as the source for the POST data with the -d @filename option. And there is no "templating" you just specify raw data to be posted. So it will not work like "get a part of the data from the command line and iterate some file's contents over it".
No - if you want something like that, you have to implement it manually (bash scripting, python, PowerShell, whatever).
Also remember that json does not support comments.
Not sure I understand your examples, as you indicate the data is in a file, but you are not sending that file, only the data following the -d curl option. To send a file, you use -d @filename
not sure you understood my question
the curl command below create an event with "hello world"
curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":"hello world"}'
imagine that in my json file I have many items with a different event name
for example "hello world", "hello world1", "hello world2".....
is the good curl command to apply is like this?
curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":}'
what i mean is that if i dont mention the name of the event, 3 events will be created in splunk with "hello world", "hello world1", "hello world2"?
No.
As @bowesmana already told you - the -d "something" option sends the data you specify on the command line. If you want the data to be read from the file you have to specify it as the source for the POST data with the -d @filename option. And there is no "templating" you just specify raw data to be posted. So it will not work like "get a part of the data from the command line and iterate some file's contents over it".
No - if you want something like that, you have to implement it manually (bash scripting, python, PowerShell, whatever).