I've got a HTTP API that produces a JSON payload of metrics. The payload is formatted in a way that also works for POSTing (via cURL) to a Splunk HEC and ultimately getting inserted into a "metrics"-style index. An example of the payload: {
"event": "metric",
"time": 1618573805075,
"host": "myhostname",
"fields": {
"metric_name:ok.count": 1,
"metric_name:error.count": 2
"product_version": "1.2.3",
"now_unix": 1618573805075052,
"product_name": "my cool app"
}
} This works well and I can query the data using | mpreview index="my_index_name" I'm trying to setup Splunk Universal Forwarder and using Scripted Input to cURL this endpoint and send it to the Splunk Indexer over port 9997 as per normal. I can see that the metrics endpoint is being "hit" by SUF, but I can't see any data in Splunk. I have my Splunk-side props.conf as : [my_json_metrics_via_suf]
INDEXED_EXTRACTIONS = json
KV_MODE = none My SUF inputs.conf: [script:///opt/splunkforwarder/etc/system/bin/my_curl_script.sh]
interval = 5
index = my_index_name
sourcetype = my_json_metrics_via_suf
disabled = false Does anyone know what config I'm missing? I can see the data arriving at the Splunk server via `tcpdump`
... View more