Splunk Enterprise

HTTP event collector basic questions

jip31
Motivator

Hi

In the example below, I clearly understand that the "hello world" will be updated in a Splunk event

{
    "time": 1426279439, // epoch time
    "host": "localhost",
    "source": "random-data-generator",
    "sourcetype": "my_sample_data",
    "index": "main",
    "event":  "Hello world!" 
}

curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":"hello world"}'

Now imagine that my json file contains many items like below

{
    "time": 1426279439, // epoch time
    "host": "localhost",
    "source": "random-data-generator",
    "sourcetype": "my_sample_data",
    "index": "main",
    "event":  "Hello world!" 
}

{
    "time": 1426279538, // epoch time
    "host": "localhost",
    "source": "random-data-generator",
    "sourcetype": "my_sample_data",
    "index": "main",
    "event":  "Hello eveybody!" 
}

Is the curl command to use should be like this?

curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":}'

 Last question : instead using a prompt command to send the json logs in Splunk, is it possible to use a json script to do that? Or something else

Is anybody has good examples of that?

thanks

Tags (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

No.

As @bowesmana already told you - the -d "something" option sends the data you specify on the command line. If you want the data to be read from the file you have to specify it as the source for the POST data with the -d @filename option. And there is no "templating" you just specify raw data to be posted. So it will not work like "get a part of the data from the command line and iterate some file's contents over it".

No - if you want something like that, you have to implement it manually (bash scripting, python, PowerShell, whatever).

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Also remember that json does not support comments.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Not sure I understand your examples, as you indicate the data is in a file, but you are not sending that file, only the data following the -d curl option. To send a file, you use -d @filename

 

0 Karma

jip31
Motivator

not sure you understood my question

the curl command below create an event with "hello world"

curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":"hello world"}'

imagine that in my json file I have many items with a different event name

for example "hello world", "hello world1", "hello world2".....

is the good curl command to apply is like this?

curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":}'

 what i mean is that if i dont mention the name of the event, 3 events will be created in splunk with "hello world", "hello world1", "hello world2"?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

No.

As @bowesmana already told you - the -d "something" option sends the data you specify on the command line. If you want the data to be read from the file you have to specify it as the source for the POST data with the -d @filename option. And there is no "templating" you just specify raw data to be posted. So it will not work like "get a part of the data from the command line and iterate some file's contents over it".

No - if you want something like that, you have to implement it manually (bash scripting, python, PowerShell, whatever).

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...