Splunk Enterprise

HTTP event collector basic questions

jip31
Motivator

Hi

In the example below, I clearly understand that the "hello world" will be updated in a Splunk event

{
    "time": 1426279439, // epoch time
    "host": "localhost",
    "source": "random-data-generator",
    "sourcetype": "my_sample_data",
    "index": "main",
    "event":  "Hello world!" 
}

curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":"hello world"}'

Now imagine that my json file contains many items like below

{
    "time": 1426279439, // epoch time
    "host": "localhost",
    "source": "random-data-generator",
    "sourcetype": "my_sample_data",
    "index": "main",
    "event":  "Hello world!" 
}

{
    "time": 1426279538, // epoch time
    "host": "localhost",
    "source": "random-data-generator",
    "sourcetype": "my_sample_data",
    "index": "main",
    "event":  "Hello eveybody!" 
}

Is the curl command to use should be like this?

curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":}'

 Last question : instead using a prompt command to send the json logs in Splunk, is it possible to use a json script to do that? Or something else

Is anybody has good examples of that?

thanks

Labels (1)
Tags (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

No.

As @bowesmana already told you - the -d "something" option sends the data you specify on the command line. If you want the data to be read from the file you have to specify it as the source for the POST data with the -d @filename option. And there is no "templating" you just specify raw data to be posted. So it will not work like "get a part of the data from the command line and iterate some file's contents over it".

No - if you want something like that, you have to implement it manually (bash scripting, python, PowerShell, whatever).

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Also remember that json does not support comments.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Not sure I understand your examples, as you indicate the data is in a file, but you are not sending that file, only the data following the -d curl option. To send a file, you use -d @filename

 

0 Karma

jip31
Motivator

not sure you understood my question

the curl command below create an event with "hello world"

curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":"hello world"}'

imagine that in my json file I have many items with a different event name

for example "hello world", "hello world1", "hello world2".....

is the good curl command to apply is like this?

curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":}'

 what i mean is that if i dont mention the name of the event, 3 events will be created in splunk with "hello world", "hello world1", "hello world2"?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

No.

As @bowesmana already told you - the -d "something" option sends the data you specify on the command line. If you want the data to be read from the file you have to specify it as the source for the POST data with the -d @filename option. And there is no "templating" you just specify raw data to be posted. So it will not work like "get a part of the data from the command line and iterate some file's contents over it".

No - if you want something like that, you have to implement it manually (bash scripting, python, PowerShell, whatever).

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...