Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I call REST Endpoint of Universal Forwarder to pass log data from code?

Splunk_Shinobi
Splunk Employee
Splunk Employee
‎06-04-2013 10:46 PM

Hi

Can I call REST Endpoint of Universal Forwarder to pass log data from code?
* not creating new monitor configuration

I am currently using storm to push the data using API call from code.
I am looking for any information how I can do this using universal
forwarder to pass the data to my distributed indexer environment.

Thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

melonman
Motivator
‎06-05-2013 12:02 AM

I did Simple test, and found that if you don't have index definition in UF, the rest call will return error, but if you do, it will eat the data.

I am not sure if this is supported or not..

My environment looks like : SH/INDEXER:9997 <- UniversalForwarder:8089

and used this call:

curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"

In case without indexes.conf in your UF, the curl command returns:

$ curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="WARN">supplied index missing or disabled</msg>
  </messages>
</response>

if you have this entry in indexes.conf in UF,

$ cat indexes.conf 
[main]
[myindex]

then, the call went OK.

$ curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <results>
    <result>
      <field k="_index">
        <value>
          <text>myindex</text>
        </value>
      </field>
      <field k="bytes">
        <value>
          <text>19</text>
        </value>
      </field>
      <field k="host">
        <value>
          <text>127.0.0.1</text>
        </value>
      </field>
      <field k="source">
        <value>
          <text>www</text>
        </value>
      </field>
      <field k="sourcetype">
        <value>
          <text>test</text>
        </value>
      </field>
    </result>
  </results>
</response>
$

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dominiquevocat
SplunkTrust
SplunkTrust
‎08-25-2017 01:55 PM

maybe this is of some use? https://splunkbase.splunk.com/app/2775/ (soon to be updated in time for .conf 2017 🙂 )

0 Karma
Reply
Solved! Jump to solution
Solution

melonman
Motivator
‎06-05-2013 12:02 AM

I did Simple test, and found that if you don't have index definition in UF, the rest call will return error, but if you do, it will eat the data.

I am not sure if this is supported or not..

My environment looks like : SH/INDEXER:9997 <- UniversalForwarder:8089

and used this call:

curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"

In case without indexes.conf in your UF, the curl command returns:

$ curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="WARN">supplied index missing or disabled</msg>
  </messages>
</response>

if you have this entry in indexes.conf in UF,

$ cat indexes.conf 
[main]
[myindex]

then, the call went OK.

$ curl -k -u admin:changeme "https://localhost:8089/services/receivers/simple?index=myindex&source=www&sourcetype=test" -d "`date '+%s'` from API"
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <results>
    <result>
      <field k="_index">
        <value>
          <text>myindex</text>
        </value>
      </field>
      <field k="bytes">
        <value>
          <text>19</text>
        </value>
      </field>
      <field k="host">
        <value>
          <text>127.0.0.1</text>
        </value>
      </field>
      <field k="source">
        <value>
          <text>www</text>
        </value>
      </field>
      <field k="sourcetype">
        <value>
          <text>test</text>
        </value>
      </field>
    </result>
  </results>
</response>
$
0 Karma
Reply
Solved! Jump to solution

melonman
Motivator
‎06-06-2013 06:11 AM

If you want to send to an index that doesn't exist locally, pass "check-index=false" as a GET parameter to the call.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...