Hello all,
I am running python 3.4.9 on CentOS 7. The issue I am having is with the following python script:
from yaml import load
from requests import session
from pprint import pprint
from json import dumps
with open('creds.yml', 'r') as cred:
credsdict = load(cred.read())
s = session()
s.auth = (credsdict['username'], credsdict['password'])
hecdict = {
'name':'test-hec-1',
'index':'test_index_one',
'description':'my test hec',
'sourcetype':'test_hec',
'source':'hectest'
}
hectest = s.post("https://splunk-url.com:8089/services/data/inputs/http?output_mode=json", json=hecdict, verify=False)
I keep getting the return payload:
{"messages": [{"text": "Cannot perform action "POST" without a target name to act on.","type": "ERROR"}]}
This makes me think that Splunk cannot handle python's request library posts. Is this a known bug?
That is the wrong endpoint to submit events to. You want the event endpoint. Though you would have an easier time using an already written HEC python class.
Thanks for your response. I'm not trying to submit an event, as you can see there is no event
field in the dictionary nor is there any existing HEC token that I'm passing through the headers. I'm trying to CREATE an HEC token, although this is probably my fault, as I should've put it in the description of the issue. My fault.
Also I took a look at the github repo you linked and the documentation appears to be lacking, so for now I'm going to be using my own scripts. But thanks for the heads up!
And yes, I have removed everything except the "name" argument in the hecdict and I have tried removing the "?output_mode=json" from the request and it still doesn't work.
And I can use a curl command with all of the inputs i have in the hecdict