Re: Python splunk submit event doesnt work correct...

kairat · ‎07-08-2018

When I try to add event string like = "37.31.31.31 - - [13/Dec/2015:23:08:40 +0100] ""POST /administrator/index.php HTTP/1.1"" 200 4494 ""http://almhuette-raith.at/administrator/"" ""Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"" ""-"""

It ignores it, not throwing any errors.

When I send events like "HELLO", "THIS IS TEST" it works.

The code sample is here:

import splunklib.client as client
service = client.connect(
                        host=HOST,
                        port=PORT,
                        username=USERNAME,
                        password=PASSWORD)

myindex = service.indexes["main"]
myindex.submit(STRING, sourcetype="access_combined.log", host="local")

Version 2
with myindex.attached_socket(sourcetype='access_combined.log') as sock:
    sock.send(str.encode(STRING))

kairat · ‎07-09-2018

I want to send an event using python-sdk.

Event's content "145.255.2.146 - - [2015-12-12:23:08:40 +0100] ""GET /administrator/ HTTP/1.1"" 200 4263 ""-"" ""Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"" ""-"""

If we remove colons event will be sent, please, help me.

The code below doesn't show any mistake, neither add an event to splunk

import splunklib.client as client

service = client.connect(
                        host=HOST,
                        port=PORT,
                        username=USERNAME,
                        password=PASSWORD)
myindex = service.indexes["main"]
mysocket = myindex.attach(sourcetype='access_combined.log',host='local')
mysocket.send(str.encode('"145.255.2.146 - - [2015-12-12 +0100] ""GET /administrator/ HTTP/1.1"" 200 4263 ""-"" ""Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"" ""-"""'))
mysocket.close()

starcher · ‎07-12-2018

You are also better off sending data via HEC rather than directly via the API like this. Since you are in python already you can use a HEC class like https://github.com/georgestarcher/Splunk-Class-httpevent

kairat · ‎07-15-2018

Thanks for your answer, the problem is in ":" colons in event, it still doesn't work with the code your provided on github. I wonder if you can try it, in my case it ignores

"145.255.2.146 - - [2015-12-12*:22:21:00* +0100] ""GET /administrator/ HTTP/1.1"" 200 4263 ""-"" ""Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"" ""-"""

PS: If I remove colons ":" it works as in using socket, and your code.

poete · ‎07-09-2018

Hello @kairat
,
did you try to escape the colons? I mean did you try to replace " with \" ?

kairat · ‎07-10-2018

It's OK with double quotes, the problem is about : When I removed colons(:), as in the comment provided with code, it works. I don't know why it's so.

poete · ‎07-16-2018

Hello @kairat,
I am confused. In the head of the post, you stated that with that code, you could not get the event added to Splunk, and now you say it works.
Anyway, the colons you removed changed the format of the date of the event, and the result format seems quite strange.
Can you please share the way you extract the date/time info for the sourcetype?

Python splunk submit event doesnt work correctly, event not found in splunk

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Data Management Digest – May 2026

Index This | What is feather-light but cannot be held long?

.conf26 Registration is Live: Secure Your Early Bird Pass Now

Join the Conversation